Hello,
Quick Overview:
There exists a DoS in Flowpoint's (A)DSL 2000 router ('fp2k')
running software rev 1.2.3 (anyone have other revs to test?)
Lil Backgrounder:
Flowpoint builds the routers and distributes them through various OEMs and
VARs, one that I know of is Diamond Lane Commuications, so if you have a
DSL router its best to take a peak at it real quick(tm). Basically its not
much bigger than a modem, has six blinky lights on the front.
Vendor Status:
I informed Flowpoint of this problem on Fri May 29, Flowpoint responded on
Mon Jun 1 with a fix and an apology for not responding to me sooner! Quick
Service!
Gory Details:
Like most routers the fp2k will allow you to telnet into it for
monitoring/ testing / admin functions. One problem exists in that the
fp2k does not allow you to (as of firmware 1.4.1) configure a telnet
password, only a system password (sort of like 'enable') to change things.
It also allows you to change the telnet port that it listens on , but that
seems a little too much 'security through obscurity' for me.
Once you telnet into the fp2k you are presented with something like:
FlowPoint/2000 ADSL Router v1.2.3 Ready
>
Once you 'are in' , you can do a few basic things, in order to edit
things, you can use the 'login' command followed by the password, such as:
> login foobar
Logged in successfully!
#
The problem happens when you do something like:
>login <alot of crap here, serveral kilobytes worth or so>
At this point, you will not get the prompt back (if you did it right :) ),
and on the serial console , you may get something like:
TCP: trim 13 bytes from the front!
With the 13 ranging from 1 as high as 976 from my few tests..
There is obviously some problems in the way it handles its buffers..
The mem command reports %99 of the small buffers in use:
>mem
Small buffers used....... 254 (99% of 256 used)
Large buffers used....... 52 (20% of 256 used)
If you close the telnet connection and try again, you may get something
like this on the console:
NOTIFIER: no mem: TCP: lvl=9: c=0: sc=0: e=0 another incoming connection
ignored for now
SNMP read attempts will get the first few OID objects, then start errors
on the serial port of:
SNMPD: TX: err: allocate packet buffer!
SNMPD: TX: err: allocate packet buffer!
At this point, serial communications gets interrupted (it must be waiting
on a small buffer to get freed up) As typing commands will not do
anything, you have to type them a few times (and hopefully get the buffer
before something else does)
A ps reveals that my old telnet is still active:
> TID: NAME FL P BOTTOM CURRENT SIZE
1:IDLE 02 7 12f9f0 130100 2032
18:TN [170.1.68.2:4658] 03 6 130220 131070 4080
3:MSFS_SYNC 03 6 1314a0 131ba0 2032
4:SYSTEM LOGGER 03 5 131cd0 1323d0 2032
5:LL_PPP 03 5 135620 135d20 2032
6:NL_IP 03 5 135f10 136208 1000
7:TL_IP_UDP 03 3 136390 136690 1000
8:TL_IP_TCP 03 3 1367f0 136ef8 2032
9:IP_RIP 03 4 137050 137348 1000
10:TELNETD 03 5 137480 137760 1000
11:BOOTP 03 5 13a590 13a878 1000
12:DUM 03 5 13ad10 13b410 2032
13:ADSL 03 1 13b560 13bc28 2032
14:SNMPD 03 5 133b40 134a48 4080
15:CMD 01 6 13c0c0 13cf10 4080
>
I then started some heavy internet traffic, of a ftp session and surfing
the web a bit. After which the serial port becomes frozen, but it
still displays the NOTIFER message and SNMPD error messages when you try
to do something. I did not do too many bandwidth tests as I was in the
mood to get it fixed more than anything else..
After a power cycle, the box is back to itself again.
Fix: If your box becomes like this, you can powercycle it and it is back
to normal. As I mentioned , Flowpoint provided a fix the next
business day, so you should upgrade your firmware, v1.4.1 is the
'fixed' version they gave me, v1.4.3 is the latest AFAIK. Contact
Flowpoint or the OEM label that yours has stamped on it for more
infoormation regarding upgrading firmware.
Scripts for the kids? Nope. Roll your own.
Sorta remind me of the Cisco 760 problem a while back.
cheers,
-----
Jason "jBot" Ackley
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:12:09 PDT