USR Netserver 8/16 vulnarable to nestea attack

From: Vesselin Mladenov (rootat_private)
Date: Mon Oct 26 1998 - 10:51:09 PST

Next message: Don Lewis: "Re: License Manager's lockfiles (Solaris 2.5.1)"

Previous message: ibm-ersat_private: "IBM-ERS Security Vulnerability Alert: IBM AIX: automountd daemon"
Next in thread: Patrick Oonk: "Re: USR Netserver 8/16 vulnarable to nestea attack"
Reply: Patrick Oonk: "Re: USR Netserver 8/16 vulnarable to nestea attack"
Reply: Chris: "Re: USR Netserver 8/16 vulnarable to nestea attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

--0__=b2knqRfeA42B7T4cYveBhSGqajgt97NtuJxNnvljmIyagyS1zdNH6ZBV
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.LNX.3.96.981026182012.26114Dat_private>

Three days ago I found out that USR Netserver 8/16 V.34, running version
2.0.14 OS is vulnerable to nestea DoS attack (for more info lookup in
http://www.rootshell.com).
I alarmed 3COM by sending them e-mail about the problem and exact behaviour
of the NAS I was playing with.
They mailed me back, telling me that they appreciate I have contacted them,
but unfortunatelly they are too busy to pay attention to my e-mail, so I was
redirected to the local technical support organization.
Well, I decided to forward the message to bugtraq - cause I'm sure the
response will be more rapid and they'll be no more too busy. :)

Here is the message, in general:

--------------------------------------------------
Hi,

I was playing with old nestea program (http://www.rootshell.com) and I
decided to test if my netserver is vulnarable to that attack.
Unfortunatelly it turned out that it is.
The model is NETServer/8 V.34, OS version 4.0.14.
The error message netserver returned to me was:

 bla bla bla .../src/ppp_dsm.c Level CRITICAL: Buffer Alloc Error (3052) ES_NO_BUFMEM

After that netserver stop accepting user logins.
>From logfile: "Connection was dropped for user UNKNOWN."

I use RADIUS authentication and accounting.

In 10% of cases netserver was completely dead. I attacked the NAS with 200
repetitions of nestea. If you increase the repetition number, you will not
have to run the nestea twice to kill the netserver completely.

I thing that the problem is in ppp_dsm.c module.
The module is quite buggy - there are other problems with it, but not so
serious as this one.

---------------------------------------------------

That's it.


---------------------------
Vesselin Mladenov
NetBG Ltd.
Phone: +3592-9744260
---------------------------

--0__=b2knqRfeA42B7T4cYveBhSGqajgt97NtuJxNnvljmIyagyS1zdNH6ZBV--

Next message: Don Lewis: "Re: License Manager's lockfiles (Solaris 2.5.1)"
Previous message: ibm-ersat_private: "IBM-ERS Security Vulnerability Alert: IBM AIX: automountd daemon"
Next in thread: Patrick Oonk: "Re: USR Netserver 8/16 vulnarable to nestea attack"
Reply: Patrick Oonk: "Re: USR Netserver 8/16 vulnarable to nestea attack"
Reply: Chris: "Re: USR Netserver 8/16 vulnarable to nestea attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:03 PDT