Security Vulnerability in Motorola CableRouters

Reported May 10, 1998 by January (january@SPY.NET) on BugTraq (BUGTRAQ@NETSPACE.ORG)

Systems Affected

Any User of Motorola Cable Modems

Situation:

A security hole has been identified in Motorola CableRouters that allows administrative access.

Motorola produces cable devices that cable companies use to provide internet access to subscribers. The customer equipment is a CableModem, a white box with a cable line in one side and an ethernet line out the other. The equipment used in the cable company"s facility (headend) is called a CableRouter. It is used to connect the subscribers from the hybrid fiber coax (HFC) cable plant to the Internet via a fast ethernet, FDDI, or ATM network. It is possible to configure the CableRouter via Telnet/FTP and via SNMP.

Problem:

Under normal use, the CableRouter can be configured via Telnet/FTP from a list of three trusted hosts, or Telnet/FTP may be altogether disabled when it is deemed unnecessary (the cable company is doing out-of-band management on another interface, for example). However, a serious vulnerability has been identified that will allow ANY host to connect, regardless of whether Telnet/FTP is disabled or not.

This vulnerability exists in all known releases of the CableRouter"s software. The CableRouter leaves an open telnet port at port 1024. This port is always open, and does not obey any access list of trusted IP"s. Furthermore, the CableRouter performs absolutely NO logging of connections -- you can connect and never be seen.

If you are a CableModem subscriber, you cannot directly connect to the CableRouter you are connected to. But you can from the outside world. For example:

$ telnet xxx.xxx.xxx.xxx 23 (try connecting on the normal telnet port)
Trying xxx.xxx.xxx.xxx...
telnet: Unable to connect to remote host: Connection refused
$ telnet xxx.xxx.xxx.xxx 1024 (try connecting to the vulnerable port)
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is "^\[".
(press enter)
Login:
Password:
Invalid name.

On Motorola CableRouters, the default login is "cablecom" (without the quotes) and the default password is "router". Many cable companies never change this, assuming that only the trusted IP"s can connect.

Furthermore, Motorola has announced that there is a memory leak in the telnet process of their CableRouter. If you telnet to it enough, the router will eventually run out of memory and crash.

Fix:

There is no known fix for this other than to filter port 1024 on the core/border router connected to the CableRouter. To compound the problem, Motorola is quite aware of this vulnerability but does not inform their customers, believing that it is too sensitive. Their official statement to customers has been that there are no undocumented issues in the latest release of their software. So many cable companies have vulnerable systems supporting thousands of subscribers... And they don"t even know it.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by January (january@SPY.NET)
Posted here at NTSecurity.Net