Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Phenoelit ADvisory 0815 ++ ** Ascend

From: kim0 <kim0 () phenoelit de>
Date: Sat, 27 Jul 2002 12:08:41 +0200

--
           kim0   <kim0 () phenoelit de>
       Phenoelit (http://www.phenoelit.de)
90C0 969C EC71 01DC 36A0  FBEF 2D72 33C0 77FC CD42

Phenoelit Advisory <wir-haben-auch-mal-was-gefunden #0815 +--->

[ Authors ]
        FX              <fx () phenoelit de>
        kim0            <kim0 () phenoelit de>  

        Phenoelit Group (http://www.phenoelit.de)
        Advisory http://www.phenoelit.de/stuff/Lucent_Ascend.txt

[ Affected Products ]
        Lucent    
                        Pipline, MAX, DSL-Terminator. (Formerly known under
                        Ascend Router product line)

        Not vulnerable: MAX TNT

        Lucent Bug ID:  Not assigned

[ Vendor communication ]
        06/28/02        Reply to inquiry regarding "who to notify"
        06/29/02        Initial Notification
                        *Note-Initial notification by phenoelit
                        includes a cc to cert () cert org by default
        06/29/02        Human response ack. the receipt.
        07/06/02        Weekly Follow-up by central POC
                        at Lucent (Right on Time!)
        07/08/02        Additional tec-discussions
        07/19/02        Notification of intent to post publically in
                        apx. 7 days.

[ Overview ]
        The product line formerly known under the name of "Ascend" running 
        the TAOS Operating System provides an easy to use and support 
        interface. This interface includes an undocumented protocol that 
        provides an easy method to identify and query the devices. (similar 
        to the Cisco CDP problem but remote).
        
[ Description ]
        When sending a crafted UDP packet to the devices UDP discard port (9),
        the device will answer with a packet containing valuable information 
        such as the host's name, MAC, IP address of the Ethernet Interface,
        Serial number, device type and installed features. By sending a packet 
        with the SNMP WRITE community, a remote attacker can change the devices 
        IP address, netmask or name.

[ Example ]
        linux# irpas/dfkaa 192.168.1.11    
        DFKAA - Devices Formerly Known As Ascend
        FX <fx () phenoelit de> - http://www.phenoelit.de/
        $Revision: 1.22 $ - IRPAS Build XL
        (c) 2001++

        >>ascend<< 
                [Probe response]
                ADP version:    2
                *MAC addr:      00:C0:7B:89:DD:86
                IP addr:        192.168.1.11/255.255.255.0
                *Serial number: 9990826374
                Device type:    Ascend Pipeline 75
                Features:       0004 0030 0140 0000
        *Device Serial number number and MAC have been changed.


[ Solution ]
        None known at this time. 

[ end of file ]
Previous By Date Next
Previous By Thread Next

Current thread: