Hello. This is the introduction to a large-scale RoadRunner Cable-Router exploit on the Ambit U10C019 CableModem. Basically, the default Cable Router that RoadRunner/TimeWarner gives to its customers by default: 1) Allows for remote login with user: admin, password: cableroot. 2) Allows remote access by default. (port 64623 for telnet, port 64680 for webui) Devices affected: Ambit U10C019 CableModem Boot code revision : 2.1.6d Hardware revision : 4.10 Software revision : 5.66.1026 Software build time : Feb 26 2009 12:53:26 Example for scanning the RoadRunner IP ranges: nmap -PN -T5 --open -p64623 -n -P0 --max-retries 0 --host-timeout 5s -iL rr.lst >> nmap.log; cat nmap.log | grep -B 3 open > open.log Torrent of files related to this disclosure at https://thepiratebay.org/torrent/5753559/ Contained in this archive contains: rr.lst - list of RoadRunner CIDR blocks. open-cleaned.txt - my initial scan of the ranges to see a rough estimate of number of affected devices. readme.txt - this file.. (You can also DDL it at http://harry.lu/files/torrents/rr-ambit-fd.tar.gz; I prfer you use the torrent option to save my bandwidth). This hole appears to have been patched with a firmware update: $ telnet device.ip 64623 Trying device.ip... Connected to device.ip. Escape character is '^]'. Connection closed by foreign host. $ curl -vvv 24.172.42.225:64680 * About to connect() to device.ip port 64680 (#0) * Trying device.ip... connected * Connected to device.ip (device.ip) port 64680 (#0) > GET / HTTP/1.1 > User-Agent: curl/7.21.0 (x86_64-unknown-linux-gnu) libcurl/7.21.0 OpenSSL/1.0.0a zlib/1.2.5 > Host: device.ip:64680 > Accept: */* > * Empty reply from server * Connection #0 to host device.ip left intact curl: (52) Empty reply from server * Closing connection #0 I use the phrase "appears", as I am unsure. Michael O'Donnel at Road Runner, who is the Chief of Security (if I recall correctly), said he would work on it. Later, I did not receive much more contact after the *8 weeks of time* after I contacted them. Recent attempts to contact Michael via leaving a voicemail got no reply. (Maybe I shouldn't have been so polite in my disclosure to them, if they don't even bother to contact me when it's fixed?) Keep safe. -- Harry Strongburg _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/