SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Device (Router/Bridge/Hub)  >  Pipeline Vendors:  Lucent
Lucent (Ascend) Pipeline Router Discloses System Information to Remote Users via Undocumented Protocol
SecurityTracker Alert ID:  1004856
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 27 2002
Impact:  Disclosure of system information, Modification of system information
Exploit Included:  Yes  
Advisory:  Phenoelit
Description:  A vulnerability was reported in the Lucent Pipeline router series. A remote user can query the device to obtain information about the device's configuration. A remote user may also be able to change certain configuration settings.

Phenoelit Gropu described a method using a reportedly undocumented protocol that can be used to identify and query the Lucent (Ascend) Pipeline routers and other devices that use the TAOS operating system.

A remote user can send a specially crafted UDP packet to the device's UDP discard port (9) to cause the device to generate a packet containing information such as the host name, MAC address, IP address of the Ethernet interface, serial number, device type, and installed features.

A remote user can send a packet with the SNMP WRITE community to change the device's IP address, netmask, or name.

A demonstration exploit transcript is provided:

linux# irpas/dfkaa 192.168.1.11
DFKAA - Devices Formerly Known As Ascend
FX <fx@phenoelit.de> - http://www.phenoelit.de/
$Revision: 1.22 $ - IRPAS Build XL
(c) 2001++

>>ascend<<
[Probe response]
ADP version: 2
*MAC addr: 00:C0:7B:89:DD:86
IP addr: 192.168.1.11/255.255.255.0
*Serial number: 9990826374
Device type: Ascend Pipeline 75
Features: 0004 0030 0140 0000
*Device Serial number number and MAC have been changed.

The vendor has reportedly been notified.
Impact:  A remote user can obtain information about the device and may be able to change the device's configuration.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.lucent.com/products/subcategory/0,,CTID+2016-STID+10444-LOCL+1,00.html (Links to External Site)
Cause:  Access control error
Reported By:  kim0 <kim0@phenoelit.de>
Message History:   None.

 Source Message Contents
Date:  Sat, 27 Jul 2002 12:08:41 +0200
From:  kim0 <kim0@phenoelit.de>
Subject:  Phenoelit ADvisory 0815 ++ ** Ascend

 

--------------070103060402000300060705
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit


-- 
            kim0   <kim0@phenoelit.de>
        Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0  FBEF 2D72 33C0 77FC CD42

--------------070103060402000300060705
Content-Type: text/plain;
 name="Lucent_Ascend.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="Lucent_Ascend.txt"

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--->

[ Authors ]
	FX		<fx@phenoelit.de>
	kim0 		<kim0@phenoelit.de>	

	Phenoelit Group	(http://www.phenoelit.de)
	Advisory http://www.phenoelit.de/stuff/Lucent_Ascend.txt

[ Affected Products ]
	Lucent    
			Pipline, MAX, DSL-Terminator. (Formerly known under
			Ascend Router product line)

	Not vulnerable: MAX TNT

	Lucent Bug ID:	Not assigned

[ Vendor communication ]
        06/28/02        Reply to inquiry regarding "who to notify"
        06/29/02        Initial Notification
                        *Note-Initial notification by phenoelit
                        includes a cc to cert@cert.org by default
        06/29/02        Human response ack. the receipt.
        07/06/02        Weekly Follow-up by central POC
                        at Lucent (Right on Time!)
        07/08/02        Additional tec-discussions
        07/19/02        Notification of intent to post publically in
                        apx. 7 days.

[ Overview ]
	The product line formerly known under the name of "Ascend" running 
	the TAOS Operating System provides an easy to use and support 
	interface. This interface includes an undocumented protocol that 
	provides an easy method to identify and query the devices. (similar 
	to the Cisco CDP problem but remote).
 
[ Description ]
	When sending a crafted UDP packet to the devices UDP discard port (9),
	the device will answer with a packet containing valuable information 
	such as the host's name, MAC, IP address of the Ethernet Interface,
	Serial number, device type and installed features. By sending a packet 
	with the SNMP WRITE community, a remote attacker can change the devices 
	IP address, netmask or name.

[ Example ]
	linux# irpas/dfkaa 192.168.1.11    
	DFKAA - Devices Formerly Known As Ascend
	FX <fx@phenoelit.de> - http://www.phenoelit.de/
	$Revision: 1.22 $ - IRPAS Build XL
	(c) 2001++

	>>ascend<< 
        	[Probe response]
	        ADP version:    2
	        *MAC addr:      00:C0:7B:89:DD:86
	        IP addr:        192.168.1.11/255.255.255.0
	        *Serial number: 9990826374
	        Device type:    Ascend Pipeline 75
	        Features:       0004 0030 0140 0000
	*Device Serial number number and MAC have been changed.


[ Solution ]
	None known at this time. 

[ end of file ]

--------------070103060402000300060705--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC