I got this from a friend today. I know a lot of you are using MediaOne
Express, and this technique may affect other cablemodem providers, too.
-------------------------------------------------------------------
DDDD David Kramer [EMAIL PROTECTED]
DK KD http://start.at/david.kramer
DKK D The difference between an American and a European is that
DK KD a European thinks that 100 miles is a long distance while
DDDD an American thinks that 100 years is a long time
---------- Forwarded message ----------
I was reading about a possible security hole for Mediaone which I
thought I'd let you know about.
Apparently the cable modems act as bridges: when they are powered
on they listen on the LAN side to discover the first MAC address it
can. From that point on it filters out all traffic to the LAN side
except
packets addresses to that MAC address or broadcast packets.
However, let's assume that someone on your segment knows your
MAC address (these are easy to come by - just do ping 24.128.121.255,
which is the broadcast address, and look at your arp cache). Then
an attacker can proceed as follows:
(1) Send an ARP packet to you advertising his card with the gateway
IP 24.128.120.1. Your machine will place it in its ARP cache. As
long as he keeps sending you these packets before the ARP entry
times out, you will never send out a real ARP query for the MAC address.
>From that point on you will essentially be routing all your outbound
traffic to him.
(2) Similarly he sends ARP packets to 24.128.120.1 with your IP.
In the same way, the gateway now will redirect all inbound traffic
for you to him.
(3) Then he routes all the inbound traffic for you to you, and you
never know that anything is wrong. He can then run a sniffer to
look at your traffic.
The person who pointed out this vulnerability said that the only way
to make sure that you are not vulnerable to this attack is to hard-code
the MAC address for the gateway and disable ARP. He still can
get your inbound packets by spoofing the router.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
