Bugtraq mailing list archives
Ascend DoS attack
From: jshaw () INSYNC NET (Joe Shaw)
Date: Thu, 26 Jun 1997 16:47:49 -0500
Problem: Recently, we noticed a problem in Ascends microcode for the Ascend MAX 4000 that allowed any user to request any IP address they wanted. This problem surfaced in the 4.x versions of code, works on 5.0Ap8, and probably works on most of the versions of Ascend software. It was fixed originally some time ago (or at least thats what I was led to believe by Ascend), but the problem resurfaced recently. It will work, even if you have such things as Assign Adrs and Pool only set to yes. The problem can be duplicated by just making your settings in windows Dialup Networking say Specify IP Address, and then setting it to the ip address of a machine on the network you're connecting to. Once connected, I telneted from another machine to our router, and sure enough, when I did a show ip route xxx.xxx.xxx.xxx, it showed that it was being broadcast via OSPF from one of our MAXen, instead of being connected directly to FDDI0. I assumed I couldn't get out to the network, but in attempting to telnet out from the dialin box, I got to our core cisco and the other machines on our network. Possibilities: The ability to take any IP address means that a dialin user can take the IP address of a DNS server, a router, anything with an IP address. In some instances (where proxy mode is enabled on the MAX) you will be able to still route to some machines, while not being able to get to others (this depends on the network setup). Also, it's possible to take the IP address of one machine by simply dialing up, and while doing so, you could possibly rcp over a password file or any other file you wanted to as long as the ip address of the machine is trusted. This makes any service that works strictly off of authenticatino of IP address extremely vulnerable. You could take over DNS services, grab passwords for people checking pop mail, and anything else you can think of. Solution: After some poking around, I upgraded all the MAXen to the latest version (5.0Ap13), which seems to have fixed the problem. I know most Ascend users are leary of doing this, since features are fixed, then broken in later versions of code. But, 5.0Ap13 has been working since the begining of this week and has proven to be stable doing multi-chasis stacking and OSPF. Sidenotes: I don't know if this will work on the MAX TNT, but I'm fairly sure it will work on the MAX4002, MAX4004, MAX4048, and MAX4072. If you have one of these units, I'd test and make sure, and if you're vulnerable, get the latest version of code off ftp.ascend.com. Joe Shaw - jshaw () insync net NetAdmin - Insync Internet Services Learn more, and you will never starve.
Current thread:
- Ascend DoS attack Joe Shaw (Jun 26)