Bugtraq mailing list archives
Re: 3Com cable modems / Mediaone
From: breu () CFU NET (Joseph W. Breu)
Date: Mon, 29 Nov 1999 14:28:34 -0600
On Sat, 27 Nov 1999, Signal 11 wrote:
and it took some digging to uncover this "feature". The cable- modem can also be reprogrammed via a serial port in back, although my attempts to access it have proven futile.
The serial port is 8N1 w/ baud rate of 38400. Try a null or straight serial connection. I cannot remember which one is which. The 3com CMX has a read only serial console. Modems like the ubr900 series (904 and 924) contain read/write consoles (but passwords may be set). If you purchase the modem from a vendor (not your ISP), then there are not any passwords. If you get it from your ISP (and they are worth their salt), it will come with a password on it. Our modems are included in the monthly charge, so we still own them and protect them with passwords.
I am also very curious to find out how to telnet into this thing, as there are references to it being "password protected" to prevent intruders. Somehow I rather doubt mine was
These modems do not have the ability to be telnet'd to. If you try, it returns a "protocol not accepted" error. The update is accomplished via the CMTS configuration file. There is a field in the config file for an "Update Available" that includes the filename and tftp server of the update. So, if you can fake out a modem with a rougue DHCP server and provide your own configuration files, then you might possible be able to upload rougue code to the modem.
Can firmware be uploaded by anyone? How does the modem authenticate the head-end system? Does anyone have any information on how to reprogram this modem?
The modem authenticates the headend through the negotiation phase of the
boot process of the modem. The modem scans the downstream frequency
channel (usually >450mhz) until it finds a 6mhz wide QAM (256 or
64) signature. Encoded within the QAM modulation is the information for
the upstream channels (channel ID, freq, freq width, etc). The modem then
ranges with the CMTS to configure the power level. Once the modem is
ranges, it goes through a DHCP/TFTP sequence. The modem then downloads
its configuration options from a file stored on a TFTP server.
--
Thanks,
-Joseph W. Breu
---------------------------------------------------------------------
Joseph W. Breu Linux/UNIX Administrator / Cedar Falls Utilities
phone: (319) 268-5228 Utility Parkway, Cedar Falls, Iowa 50613
pager: (319) 235-4209 NIC: jwb96 breu () cfu net breu.pager () cfu net
--------------- Where do you want to go tomorrow? -------------------
Current thread:
- (no subject), (continued)
- (no subject) Swen Persson (Nov 24)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- Re: WordPad/riched20.dll buffer overflow pedward () WEBCOM COM (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
- SCO su patches Alfred Huger (Nov 28)
- Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
- Page table protection on Intel Jason Spence (Nov 26)
- SuSE Security Announcement - new security tools Marc Heuse (Nov 26)
- 3Com cable modems / Mediaone Signal 11 (Nov 27)
- Re: 3Com cable modems / Mediaone Joseph W. Breu (Nov 29)
- NTmail and VRFY George (Nov 30)
- Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Solar Designer (Nov 29)
- Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)