My Netgear RT338, which is an ISDN router, falls over with a udp scan. It does clear on its own, but not before dropping the connection. Interestingly enough SNMP is not running on it -- it just choked on the scan, but seems to handle a tcp scan ok. This would suggest that the problem may lie with the filtering code (most of the SOHO Netgear devices have some simple acls for filtering traffic) or with the buffers that handle the packets. My testing was limited -- I did not test from the outside because the udp scans fuck up some of the equipment at my ISP ;-) but it did drop the connection with a udp scan from the inside. I suspect all the RT and RM devices from Netgear may fall into this category. - Simple Nomad - if we were priests - - thegnomeat_private - we would hack - - thegnomeat_private - the mind of god - On Fri, 15 Feb 2002, Ben Ryan wrote: > g'day all; > > found a denial of service in the IP stack of the Netgear RM-356. > This is your typical `internet gateway in a box'. Small businesses love 'em. > > this isn't exactly 'end of the internet' stuff, so I haven't bothered to do any > coochie-coo vendor-informed stuff. Write bad code and sell it, stand up and be > counted for your mistakes. Even simple testing would have uncovered this. > > Using lx252 and nmap-254b30, I performed a udp scan against the netgear nat box, > this device has a V90 modem WAN interface. > cmd line was: > > snuff# nmap -sU 210.9.238.103 -T5 > > It seems to be 161/UDP that's vulnerable... what a coincidence :) > TCP connect() scans seem to be ok. > Upon receipt of the nmap probe, the box does a crashdump to console. > Perhaps this is an overflow? IANAasmdev :) > > All your RM-356 are belong to us :) > > > > > > > > > > > > > > > > Menu 24.2.1 - System Maintenance - Information > Name: *******_netgear > Routing: IP > RAS F/W Version: V2.21(I.03) | 3/30/2000 > MODEM 1 F/W Version: V2.210-V90_2M_DLS > Country Code: 244 > LAN > Ethernet Address: 00:a0:c5:e3:**:** > IP Address: 192.168.0.1 > IP Mask: 255.255.255.0 > DHCP: Server > CRASHDUMP:: > 54f7a0: 00 54 f7 a8 00 21 e9 38 00 54 f8 10 00 21 e9 38 .T...!.8.T...!.8 > 54f7b0: 00 00 00 07 00 41 37 bc 00 2b 09 ca 00 00 00 00 .....A7..+...... > 54f7c0: 00 55 24 4c 00 2b 09 b2 00 00 00 00 00 55 24 4c .U$L.+.......U$L > 54f7d0: 00 00 00 05 00 00 00 00 00 21 16 24 00 57 26 04 .........!.$.W&. > 54f7e0: 00 58 5e e8 00 21 16 24 00 00 26 04 00 21 16 24 .X^..!.$..&..!.$ > 54f7f0: 00 41 20 00 00 54 f8 10 00 21 ea 34 00 41 20 00 .A ..T...!.4.A . > 54f800: 00 00 00 07 ff ff ff ff 00 54 f8 10 00 21 e6 6e .........T...!.n > 54f810: 00 54 f8 2c 00 21 e6 6e 00 41 37 bc ff ff ff ff .T.,.!.n.A7..... > 54f820: ff ff 20 04 00 5e 2e 60 00 40 f7 20 00 54 f8 68 .. ..^.`.@. .T.h > 54f830: 00 21 b0 00 00 00 00 01 00 2b 09 ca ff ff ff ff .!.......+...... > 54f840: 00 00 00 07 00 2b 09 b2 00 5e 2e 60 00 00 00 00 .....+...^.`.... > 54f850: ff ff ff ff 00 00 00 00 00 00 00 00 00 54 f9 9c .............T.. > 54f860: 00 5e 2e 60 00 00 00 00 00 54 f8 a8 00 21 a8 1a .^.`.....T...!.. > 54f870: 00 00 00 07 ff ff ff ff 00 5e 2e 60 00 00 00 00 .........^.`.... > 54f880: 00 00 00 08 00 00 00 00 00 00 00 21 00 00 00 24 ...........!...$ > 54f890: 00 00 00 00 00 54 f9 9c 00 5f ec d0 00 55 24 4c .....T..._...U$L > 54f8a0: 00 55 24 4c 00 5e 2e 60 00 54 f8 fc 00 23 b8 42 .U$L.^.`.T...#.B > > > > Boot Module Version : 4.40. Built at Wed Feb 23 14:00:29 2000 > > > > > > > > > > > > > > > ________.-~-.________ > Ben Ryan, MCP > Network Engineer > Lansys Technologies > Bendigo, Victoria > Australia > Phone +61-[0]417 502061 > email: benat_private > URL: http://thrasher.impulse.net.au/index.htm >
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 20:33:20 PST