bats1
join:2002-09-26
The Colony, TX
|  SB4200 Denial of Service
This is a copy of an advisory I sent to AT&T, Motorola, and Bugtraq over 2 weeks ago. Since many of you use vulnerable cablemodems, I figure you may be interested in this information. The problem seems to lie in the tcp/ip stack. It cannot handle many syn/ack packets in rapid succession, which is another reason it will lock up when using some p2p applications. As if AT&T's current latency problems aren't enuf 
It may be worth noting that if you are vulnerable, anyone on the internet can crash your modem, and therefore your internet connection.
## Original Post
I've found it trivial to crash the Motorola Surfboard 4200 Cable modem, as installed default by AT&T Broadband Internet.
The modem acts as a bridge, but also has an internal RFC1918 IP address(192.168.100.1). Simply nmap'ing the cable user's IP address, ie:
# nmap -sS -p 1-1024 12.x.x.x
will cause it to crash, rendering the ethernet interface useless. It is also possible to crash it from the lan by simply doing the same scan against the cable modem's internal IP address. The crash is not specific to nmap, there are other publicly available tools which cause the same result. This is known to be effective on Software Version: SB4200-0.4.4.0-SCM06-NOSH. (possibly others?)
The only way to restore network connectivity is to physically unplug the cable modem for a few seconds, then restore power. A better solution would be to buy your own cable modem, and not rent this useless junk from AT&T.
Attempts to notify AT&T about this issue resulted in them wanting to send a technician to my house to check my wiring. Don't even get me started on their tech support...
Ryan
[text was edited by author 2002-11-15 00:53:35] |
|
TweakerInWA
Almost Home
Premium
join:2001-12-11
Liverpool, NY
| Would this be why when I try to connect to a server I lose my internet connection and have to unplug my modem?, happens every time I try to play TFC using this modem they gave me yesterday. I had the 4100 and did not have this issue prior to this. Using my DSL connection no problems at all. Hmmmmmmm, what should I ask them to do to fix this issue?
--
"My speeds have fallen and they won't go up" |
|
bats1
join:2002-09-26
The Colony, TX
| Quite possibly. You will get nowhere by dealing with AT&T on this issue. I asked them to replace my cable modem with a different brand since they claim they couldn't update the firmware, and they said there is no way to know what model the technician would bring out (he brings whatever he has in his truck). So I spent the $100 and bought a D-Link modem at BestBuy and all has been fine since.
I jumped through hoops on the phone trying to get AT&T and Motorola's staff to understand this problem and how to remedy it, but they refused to listen. All it takes is a simple firmware update, but both companies state they cannot perform such an upgrade. |
|
djdanska
Premium,MVM
join:2001-04-21
Glen Ellyn, IL
clubs: | reply to bats1
Yes, i have this same issue at least 2 times a day. Uh... Thank god im not the only one.
--
»www.sonic.net/~raj/disciples/history.html |
|
djdanska
Premium,MVM
join:2001-04-21
Glen Ellyn, IL
clubs:
 ·Sprint Mobile Broa..
·T-Mobile US
 ·A + Net
 ·Mediacom
·RCN CABLE
| reply to bats1
I know! A simple firmware upgrade! I am in talks with some "friends" on getting me 4.4.2 or newer firmware and to fix it myself. I will let you know if i can.
--
»www.sonic.net/~raj/disciples/history.html |
|
deuzcent
join:2002-11-13
Laramie, WY
| reply to bats1
Sounds like this could be the cause of my random disconnects lately. Ive tested this with my SB4200 and it seems to crash my connection to the internet instantly and my connection to the modem (192.168.100.1 at least), however I am still able to ping my gateway and all computers on my subnet.. just nothing outside that. Wondering if anyone else has noticed this? I will try this later on my RCA 245r modem to see if it crashes it as well, as it suffers from the exact same symptoms as the surfboard.
Rudeboy, if you able able to get info on upgrading the firmware manually is there any way you could pass it on to me? Ive had absolutely no luck in getting ATT to update the firmware for me. |
|
djdanska
Premium,MVM
join:2001-04-21
Glen Ellyn, IL
clubs:
·Sprint Mobile Broa..
·T-Mobile US
·A + Net
·Mediacom
·RCN CABLE
| Att keeps telling me that they can't. Bull sh*t they can't. Can you post your firmware version? I want to see what you have. its at »192.168.100.1/mainhelp.html
i have SB4200-0.4.3.3-SCM01-NOSH
--
»www.sonic.net/~raj/disciples/history.html |
|
djdanska
Premium,MVM
join:2001-04-21
Glen Ellyn, IL
clubs:
·Sprint Mobile Broa..
·T-Mobile US
·A + Net
·Mediacom
·RCN CABLE
| Oh and the same firmware that fixes this, is also the same firmware that fixes the uncapping problem. You would think they would make that firmware a priority.....
Do a site search for "sb4200 socket" and you will notice we are not alone.
[text was edited by author 2002-11-15 03:09:19] |
|
Subhuman
The
join:2001-12-09
Lakewood, WA
clubs: 
| reply to bats1
Sounds like ....... Hmmmm I have had multiple modem replacements over the last 2 years.Went through 3 sharkfins and 2 RCA's.The 3Com Sharkfins were plagued by a defective power supply as were the 2 RCA modems.The field tech told me that 3Com was no longer producing the Sharkfins and that AT&Tbi were going to exhaust their supply,installing them to customers until they run out.Remember that the next time a "helpless disservice support person" tells you to powercycle your modem for the millionth time!
All the "powercyclings" spell disaster for those modems if they're not already f****d up outta the box.
It's true that you're stuck with whatever modem happens to be on the truckroll that day.It's a lottery.Truckroll before last the idiot shows up with 1 modem. ONE MODEM!And guess what,it was defective immediately upon installation.WOuld not synch at all!
In my last case I got left with a RCA DCM 245 wich itself has been fine sofar(I think)except for the continous annoyance of christmas tree flashing lights that'll drive you nuts.This idiot showed up with 3 modems,all RCA 235's?,fresh in the box.Well guess what,none of those 3 modemes were firmwared initially and all 3 had malfunctioning poser supply sockets.
What a joke. |
|
plencnerb
Premium
join:2000-09-25
Franksville, WI
clubs:
·RoadRunner Cable
| reply to bats1
said by bats1  :
The modem acts as a bridge, but also has an internal RFC1918 IP address(192.168.100.1). Simply nmap'ing the cable user's IP address, ie:
# nmap -sS -p 1-1024 12.x.x.x
will cause it to crash, rendering the ethernet interface useless. This is known to be effective on Software Version: SB4200-0.4.4.0-SCM06-NOSH. (possibly others?)
When you say "possibly others?" are you referring to other versions of the Surfboard Cable Modem, or other Cable Modems? The reason I ask is I have a DOXport 111 by Com21, and I was wondering if this could be a problem for me? Now, I have not had the issues that you guys are talking about, but I would like to know if I need to get a different modem, firmware upgrade, etc.
--
========================
--Brian Plencner
E-Mail:saursesCancer@attbi.com
Note: Kill Cancer to Reply
via e-mail |
|
Blizzard0
join:2000-06-27
Beverly Hills, CA
| reply to bats1
a quick list of other modems known to do this
toshiba 1100 or any turbo based modem
terayon all
surfboard 4200
rca 235
i have had the issue with all of the above modems and none are patched as of this post.
all of them have the exploit on terajet modems it recovers after you disable and reenable your net connection the rest all have to be rebooted and you have to wait 1 - 5 min before plugging em back in great exploit if you have some one scanning your ports. But harsh when you login to the work ftp and the modem crashes because it's just to fast.
--
I too was a attbi hater but now with this new service my connection is to slow to complain ... |
|
bats1
join:2002-09-26
The Colony, TX
| reply to plencnerb
said by plencnerb :
When you say "possibly others?" are you referring to other versions of the Surfboard Cable Modem, or other Cable Modems? The reason I ask is I have a DOXport 111 by Com21, and I was wondering if this could be a problem for me? Now, I have not had the issues that you guys are talking about, but I would like to know if I need to get a different modem, firmware upgrade, etc.
When i say other versions, I meant other Motorola models and firwmware versions. I have received reports of SB3100 being vulnerable as well:
> Software Version: SB3100-3.2.6-SCM-NOSHELL
It is likely that all Firmware below 4.4.0 is vulnerable, however I cannot confirm this. Perhaps users in this forum can post the results of other known vulnerable models. |
|
stevelee0
join:2002-03-27
Bellevue, WA | SB4200-0.4.3.3-SCM01-NOSH also seems to exhibit the same characteristics. |
|
Terminator45
join:2002-11-16
East Hartford, CT | Has anybody heard of the sb4220? AT&T lists it on their site. |
|
sonofjay
Mission Accomplished - Bush May 1, 2003
Premium,MVM
join:2001-05-14
North Attleboro, MA
 ·Vonage
·Earthlink Cable Mo..
| Yet another reason to buy a modem I guess : )
I'd like to test this on my Toshiba 1100. It has never locked up on me in the 2 years I've had it but it may just be a coincidence. However, I cannot remember how to find the ip address of the modem. I know how to get my public ip address but for my brain is mush this morning.
How do you find the modem address out again?
Thanks |
|
Blizzard0
join:2000-06-27
Beverly Hills, CA
| reply to bats1
i use docsis diag to get my modems info then plug it in and have a freind from an edu pass on some info to me and watch my net card drop like a rock
--
I too was a attbi hater but now with this new service my connection is to slow to complain ... |
|
ranvette
join:2002-06-26
Hudson, MA | My Software version shows SB4200-0.4.4.0-SCM06-NOSH.Its a new modem |
|
plat2on1
join:2002-08-21
Hopewell Junction, NY
clubs: | reply to bats1
the 4.4.2 firmware fixes it |
|
bats1
join:2002-09-26
The Colony, TX | We are aware that 4.4.2 fixes it, but you as an end user cannot upgrade the firmware. The cable company must do it. And in this situation, AT&T refuses to do so. |
|
Qumahlin
Never Enough Time
Premium,MVM
join:2001-10-05
united state
| said by bats1 :
We are aware that 4.4.2 fixes it, but you as an end user cannot upgrade the firmware. The cable company must do it. And in this situation, AT&T refuses to do so.
Actually if you have 4.4.0 firmware you can do it...you do it the same as if you are uncapping your connection except when editing your config file change the imageupdate string. If you need the 4.4.2 firmware a few sites have it availible. If you want the 0.4.4.2 for the sb4100 or 4200 I believe I have both handy at home.
If you PM me I will send you the firmware when I get a chance...but I will not go through step by step on how to upload it...read one of the many uncapping sites and with a modicum of knowledge you should be able to see whcih image string I refer to changing when uploading your own cfg.
(And no you won't be uncapping your connection..just use a stock ATT file, change the update string let the firmware update, then reboot. It won't auto downgrade.) |
|
