Re: Remote DoS in Netgear RM-356

[Simple Nomad <thegnome () nmrc org>]

My Netgear RT338, which is an ISDN router, falls over with a udp scan. It
does clear on its own, but not before dropping the connection.
Interestingly enough SNMP is not running on it -- it just choked on the
scan, but seems to handle a tcp scan ok. This would suggest that the
problem may lie with the filtering code (most of the SOHO Netgear devices
have some simple acls for filtering traffic) or with the buffers that
handle the packets.

My testing was limited -- I did not test from the outside because the udp
scans fuck up some of the equipment at my ISP ;-) but it did drop the
connection with a udp scan from the inside.

I suspect all the RT and RM devices from Netgear may fall into this
category.

-         Simple Nomad          -   if we were priests   -
-      thegnome () nmrc org        -      we would hack     -
-  thegnome () razor bindview com  -     the mind of god    -

On Fri, 15 Feb 2002, Ben Ryan wrote:

> g'day all;
>
> found a denial of service in the IP stack of the Netgear RM-356.
> This is your typical `internet gateway in a box'. Small businesses love 'em.
>
> this isn't exactly 'end of the internet' stuff, so I haven't bothered to do any
> coochie-coo vendor-informed stuff. Write bad code and sell it, stand up and be
> counted for your mistakes. Even simple testing would have uncovered this.
>
> Using lx252 and nmap-254b30, I performed a udp scan against the netgear nat box,
> this device has a V90 modem WAN interface.
> cmd line was:
>
> snuff# nmap -sU 210.9.238.103 -T5
>
> It seems to be 161/UDP that's vulnerable... what a coincidence :)
> TCP connect() scans seem to be ok.
> Upon receipt of the nmap probe, the box does a crashdump to console.
> Perhaps this is an overflow? IANAasmdev :)
>
> All your RM-356 are belong to us :)
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Menu 24.2.1 - System Maintenance - Information
>                     Name: *******_netgear
>                     Routing: IP
>                     RAS F/W Version: V2.21(I.03) | 3/30/2000
>                     MODEM 1 F/W Version: V2.210-V90_2M_DLS
>                     Country Code: 244
>                     LAN
>                       Ethernet Address: 00:a0:c5:e3:**:**
>                       IP Address: 192.168.0.1
>                       IP Mask: 255.255.255.0
>                       DHCP: Server
> CRASHDUMP::
> 54f7a0: 00 54 f7 a8 00 21 e9 38 00 54 f8 10 00 21 e9 38     .T...!.8.T...!.8
> 54f7b0: 00 00 00 07 00 41 37 bc 00 2b 09 ca 00 00 00 00     .....A7..+......
> 54f7c0: 00 55 24 4c 00 2b 09 b2 00 00 00 00 00 55 24 4c     .U$L.+.......U$L
> 54f7d0: 00 00 00 05 00 00 00 00 00 21 16 24 00 57 26 04     .........!.$.W&.
> 54f7e0: 00 58 5e e8 00 21 16 24 00 00 26 04 00 21 16 24     .X^..!.$..&..!.$
> 54f7f0: 00 41 20 00 00 54 f8 10 00 21 ea 34 00 41 20 00     .A ..T...!.4.A .
> 54f800: 00 00 00 07 ff ff ff ff 00 54 f8 10 00 21 e6 6e     .........T...!.n
> 54f810: 00 54 f8 2c 00 21 e6 6e 00 41 37 bc ff ff ff ff     .T.,.!.n.A7.....
> 54f820: ff ff 20 04 00 5e 2e 60 00 40 f7 20 00 54 f8 68     .. ..^.`.@. .T.h
> 54f830: 00 21 b0 00 00 00 00 01 00 2b 09 ca ff ff ff ff     .!.......+......
> 54f840: 00 00 00 07 00 2b 09 b2 00 5e 2e 60 00 00 00 00     .....+...^.`....
> 54f850: ff ff ff ff 00 00 00 00 00 00 00 00 00 54 f9 9c     .............T..
> 54f860: 00 5e 2e 60 00 00 00 00 00 54 f8 a8 00 21 a8 1a     .^.`.....T...!..
> 54f870: 00 00 00 07 ff ff ff ff 00 5e 2e 60 00 00 00 00     .........^.`....
> 54f880: 00 00 00 08 00 00 00 00 00 00 00 21 00 00 00 24     ...........!...$
> 54f890: 00 00 00 00 00 54 f9 9c 00 5f ec d0 00 55 24 4c     .....T..._...U$L
> 54f8a0: 00 55 24 4c 00 5e 2e 60 00 54 f8 fc 00 23 b8 42     .U$L.^.`.T...#.B
>
>
>
> Boot Module Version : 4.40. Built at Wed Feb 23 14:00:29 2000
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ________.-~-.________
> Ben Ryan, MCP
> Network Engineer
> Lansys Technologies
> Bendigo, Victoria
> Australia
> Phone +61-[0]417 502061
> email: ben () bssc edu au
> URL: http://thrasher.impulse.net.au/index.htm