[rootshell] Security Bulletin #23

From: Aleph One (aleph1at_private)
Date: Mon Sep 14 1998 - 14:17:27 PDT

Next message: Paul Boehm: "ANNOUNCE: secure identd v0.3"

Previous message: Roy Hills: "Borderware predictable TCP seq. numbers - Summary of responses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- Forwarded message ----------
Date: 14 Sep 1998 21:03:31 -0000
From: announce-outgoingat_private
Cc: recipient list not shown:  ;
Subject: [rootshell] Security Bulletin #23

www.rootshell.com
Security Bulletin #23
September 14th, 1998

[ http://www.rootshell.com/ ]

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to majordomoat_private
with "unsubscribe announce" in the BODY of the message.

Send submissions to infoat_private  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------

01. Osicom Technologies ROUTERmate Security Advisory
----------------------------------------------------

Osicom Technologies (http://www.osicom.com) makes remote access router
products for 56K-T1 users.  While evaluating these products Rootshell came
across various flaws in the TCP/IP stack of these routers allowing remote
users to gain access to and crash the ROUTERmate products.

Products affected
-----------------

* ROUTERmate Plus T1
* ROUTERmate Plus 56K
* ROUTER mate-EX MULTI-PROTOCOL EXECUTIVE ROUTER
* ROUTER mate Plus - D&I INTEGRATED ROUTER AND T-1 DROP & INSERT CSU

List of problems
----------------

* The TCP/IP stack deals with SYN packets incorrectly and allows a remote
user to crash the unit in two ways.  In each of these cases the router will
reboot and then function normally unless hit with the attack again.

  1) If a user port scans the router with any readily available port scanner
  the unit will crash.

  2) If the router is hit with a flood of SYN packets the router crashes.
  Code to generate SYN packets can be found on the Rootshell website as
  "synk4.c" and "SYNpacket.tgz".

* The TCP/IP stack can be crashed by exploiting the "off by one" IP header
bug that recently affected Linux and Windows users.  This attack is commonly
know as "nestea.c" and can be found on Rootshell.  The ROUTERmate will also
crash with the similar bugs "bonk.c" and "newtear.c".  After these attacks
the router will reboot then function normally unless hit with the attack
again.

* The TCP/IP stack can be caused to completely freeze up requiring a reboot
by the end user via the serial port console or by bouncing the units power
source.  "pmcrash.c" available on Rootshell crashes Livingston portmasters
prior to ComOS 3.3.1 (they fixed this problem well over a year ago).  This
same problem is now in the ROUTERmate product, however the unit will not
reboot on its own.  On a local network we were able to crash the ROUTERmate
after running pmcrash for just a few seconds.  pmcrash.c simply sends large
amounts of fragmented ICMP traffic at the router.

* The default SNMP configuration allows any remote user to change the
configuration of leased lines, place circuits in loopback, and reboot the
router.  The ROUTERmate product ships with a default write community of
"private".  By using commonly available SNMP software such as the CMU SNMP
packages a user can gain access to the following commands.  The entire MIB
file can be found on ftp.osicom.com.

unitResetCommand   <------ Anyone can reboot the product by default.
localNIloop
remoteNIloop
lineLoop
payloadLoop
testPattern
niClearTestCounter
insertBitError
interfaceLocalLoop
interfaceRemoteLoopWithTestPattern
interfaceTestPattern
interfaceDiagClearCounters
saveConfigToFlash
niFormat
niCoding
niTiming
niLineBuildOut
esfDataLink
remoteLoop
esfCxrLoops
bandwidthAlloc
interfaceDataRate
interfaceDataMode
interfaceRmtLoopResponse
clearCounters
clientAutoLearn
accessViaTelnet
clientAddress

This problem is not unique to Osicom.  Rootshell after 2 years of e-mails to
Ascend (http://www.ascend.com/) got them to turn off the write community in
their products and added the "R/W Comm Enable" setting in their SNMP
configuration area.

Since the ROUTERmate product does not support packet filters the only
workaround at the moment is to disable the "Autolearn Clients" feature of
the ROUTERmate.

Solution
--------

Osicom was informed of these problems on July 31st, 1998.

New firmware when available should be posted to :

ftp://ftp.osicom.com/

Vendor Contact
--------------

Osicom Technologies Inc., 2800
28th Street, Suite 100
Santa Monica, CA 90405 USA

infoat_private
888-674-2668 (888-Osicom-8)

----------------------------------------------------------------------

To unsubscribe from this mailing list send e-mail to majordomoat_private
with "unsubscribe announce" in the BODY of the message.

Send submissions to infoat_private  Messages sent will not be sent to
other members on this list unless it is featured in a security bulletin.

An archive of this list is available at :
http://www.rootshell.com/mailinglist-archive

----------------------------------------------------------------------

Next message: Paul Boehm: "ANNOUNCE: secure identd v0.3"
Previous message: Roy Hills: "Borderware predictable TCP seq. numbers - Summary of responses"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:16:16 PDT