SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Router/Bridge/Hub)  >   Alcatel-Lucent MAX Vendors:   Lucent (please use Alcatel-Lucent)
Lucent (Ascend) MAX TNT Universal Gateway May Grant Root Access to Dial-up Users
SecurityTracker Alert ID:  1007771
SecurityTracker URL:  http://securitytracker.com/id/1007771
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Sep 21 2003
Original Entry Date:  Sep 21 2003
Impact:   Root access via network
Exploit Included:  Yes  
Version(s): 8.0.1
Description:   A vulnerability was reported in the Lucent (Ascend) MAX TNT Universal Gateway. A remote dial-up user may be able to gain root access on the device.

It is reported that a remote user can dial into the gateway using a terminal client and, on some occasions, gain access to the device's operating system without having to supply a valid root level password. According to the report, when this does occur, the action is not logged by the system.

A valid dial-up username and password is not required to exploit the flaw.

Some demonstration exploit transcripts are provided in the Source Message.

The vendor has reportedly been notified.

Impact:   A remote dial-up user may be able to gain root access on the device.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.lucent.com/products/subcategory/0,,CTID+2017-STID+10443-LOCL+1,00.html/ (Links to External Site)
Cause:   Access control error, Authentication error

Message History:   None.


 Source Message Contents

Date:  Sun, 21 Sep 2003 10:39:38 +0000
Subject:  [Full-Disclosure] Ascend / Lucent Router gives root?


There appears to be a design flaw in an Ascend / Lucent MAX TNT Router that allows root access.  I have sent this to lucent, they
 have forwarded it to the 'approriate software team'.  This bug does not seem to be a misconfiguration as the terminal server often
 works correctly.  It would be interesting to see if this also works agains other version of the IOS.  

Here is an example of this vulnerability that can be found online:
http://www.tek-tips.com/gviewthread.cfm/lev2/8/lev3/58/pid/547/qid/626101

[in TERMINAL-SERVER]
enabled = yes
security-mode = full
modem-configuration = { will-v42 33600-max-baud -13-db-mdm-trn-level no
-18-db-+
**********************************************************************
here a connection is made and the Terminal Server presents a Login Prompt
**********************************************************************
terminal-mode-configuration = { no yes "" "***  Pulaski Networks  ***"
"Login: +
immediate-mode-options = { none no "" 0 }
menu-mode-options = { no no no "" "" telnet 0 "" "" "" telnet 0 "" ""
""
telnet+
ppp-mode-configuration = { yes 5 no session-ppp }
slip-mode-configuration = { no no basic-slip no }
dialout-configuration = { no no 5000 "" none }

And something changed but still no luck.  This time wvdial shows :
***********************************************************************
here a connection made to the same Terminal Server but no Login Prompt is presented
***********************************************************************
Aug  7 12:04:22 fw wvdial[4441]: Sending: fmota
Aug  7 12:04:23 fw wvdial[4441]: fmota
Aug  7 12:04:23 fw wvdial[4441]: Password:
Aug  7 12:04:23 fw wvdial[4441]: Looks like a password prompt.
Aug  7 12:04:23 fw wvdial[4441]: Sending: (password)
************************************************************************
instead of a login prompt the root prompt is given - root access is gained.
************************************************************************
Aug  7 12:04:24 fw wvdial[4441]: ascend%
************************************************************************
this problem has been overlooked because wvdial and other programs do not report this, instead wvdial continues to try with ppp negotion,
 but fails:
**************************************************************************
Aug  7 12:04:24 fw wvdial[4441]: Hmm... a prompt.  Sending "ppp".
Aug  7 12:04:25 fw wvdial[4441]: ppp
Aug  7 12:04:25 fw wvdial[4441]: Requested Service Not Authorized 
**************************************************************************
Access to the root prompt can easily be obtained through the use of a terminal client, such as minicom or Hyperterminal.  Often, the
 router will correctly present a login prompt.  When this occurs one only needs to disconnect quickly and redial to gain root.  This
 has been tested against an Ascend / Lucent MAX TNT router running IOS version 8.0.1.

other online examples that could be related to this vulnerability:
https://lists.csociety.org/pipermail/plug/2000-October/003328.html
http://lists.debian.org/debian-user/2000/debian-user-200010/msg02081.html

nathan aguirre
nabiy@freeshell.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC