Motorola Cablerouter hole

Summary
Description:Motorola CableRouters listen on port 1024 regardless of IP access restrictions for some reason. This hole in combination with the default login:cablecom pass:router can lead to easy unauthorized access
Author:January <january@SPY.NET>
Compromise:unathorized administrator access
Vulnerable Systems:Motorola CableRouters, especially those where the admin left the default passwords in place (always a horrible idea).
Date:10 May 1998
Notes:Cablemodem users must connect from the Internet interface, not from the interface on their side of the router. Also Motorola wrote me to say this has been fixed. They claim that all customers have upgraded to newer software.
Details


Date: Sun, 10 May 1998 08:43:50 -0500
From: January <january@SPY.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Security Vulnerability in Motorola CableRouters

A security hole has been identified in Motorola CableRouters that allows
administrative access.

Motorola produces cable devices that cable companies use to provide
internet access to subscribers. The customer equipment is a CableModem, a
white box with a cable line in one side and an ethernet line out the
other. The equipment used in the cable company's facility (headend) is
called a CableRouter. It is used to connect the subscribers from the
hybrid fiber coax (HFC) cable plant to the Internet via a fast ethernet,
FDDI, or ATM network. It is possible to configure the CableRouter via
Telnet/FTP and via SNMP.

Under normal use, the CableRouter can be configured via Telnet/FTP from a
list of three "trusted" hosts, or Telnet/FTP may be alltogether disabled
when it is deemed unnecessary (the cable company is doing out-of-band
management on another interface, for example). However, a serious
vulnerability has been identified that will allow ANY host to connect,
regardless of whether Telnet/FTP is disabled or not.

This vulnerability exists in all known releases of the CableRouter's
software. The CableRouter leaves an open telnet port at port 1024. This
port is always open, and does not obey any access list of "trusted IP's."
Furthermore, the CableRouter performs absolutely NO logging of connections
-- you can connect and never be seen.

If you are a CableModem subscriber, you cannot directly connect to the
CableRouter you are connected to. But you can from the outside world. For
example:

$ telnet xxx.xxx.xxx.xxx 23 (try connecting on the normal telnet port)
Trying xxx.xxx.xxx.xxx...
telnet: Unable to connect to remote host: Connection refused
$ telnet xxx.xxx.xxx.xxx 1024 (try connecting to the vulnerable port)
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^['.
(press enter)
Login:
Password:
Invalid name.

On Motorola CableRouters, the default login is 'cablecom' (without the
quotes) and the default password is 'router'. Many cable companies never
change this, assuming that only the trusted IP's can connect.

Furthermore, Motorola has announced that there is a memory leak in the
telnet process of their CableRouter. If you telnet to it enough, the
router will eventually run out of memory and crash.

There is no known fix for this other than to filter port 1024 on the
core/border router connected to the CableRouter. To compound the problem,
Motorola is quite aware of this vulnerability but does not inform their
customers, believing that it is "too" sensitive. Their official statement
to customers has been that there are no undocumented issues in the latest
release of their software.  So many cable companies have vulnerable
systems supporting thousands of subscribers... And they don't even know
it.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: