Re: Security flaw in ALCATEL/THOMSON Speed Touch Pro ADSL modems

[Gregory Duchemin <c3rb3r () sympatico ca>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dear 3APA3A,

3APA3A wrote:

| Dear Gregory Duchemin,
|
| In case of the product like ADSL modem is, it's not a bug, but a
| leak of feature  to  secure  DHCP and/or dynamic DNS updates,
| because it's a way DHCP  and DNS are supposed to work and it's
| impossible to fix it without implementing  protocol  extensions.

The first flaw lies in a lack of (hostname) collision checking when
collision happens within a valid (already)  registered lease, Alcatel
firmware simply doesn't validate any further Hostname given to it,
once the first checking has occured.
Second flaw (a direct consequence of the first) appears when deleting
a record for the zone (from the web interface), all collisions will
then be deleted at once. Such behavior was obviously not expected by
programmers.

This doesn't require protocol extension, the same care (user input
validation) should be applied for *all* DHCP packets received and not
only the first one. All the programmatical logic is already there but
not correctly implemented.

It is correct behavior for a standard DNS to round robbin between
several ip adresses when a zone administrator has configured it for
this purpose BUT NOT when it comes from a user exploiting a flaw in
the server.
Moreover Speed touch Pro DNS has no round robbin feature.:-) yes this
is really a bug

To summarize a bit, this flaw allows to corrupt the local zone file
managed by the device and may allows an
internal user to trigger DNS based spoofing attacks.

| This products are targeted for SOHO (any corporate user already
| have DNS/DHCP server implemented)

| where this kind of attack does not lead to any serious threats.
|
In this case, i agree and as mentionned in my post:

"It is unlikely that a lot of offices are using Alcatel DNS/DHCP
servers but if yours does then read the
following."

however for offices that may actually use it,  *threat is serious*.
Gregory

| --Friday, November 12, 2004, 9:02:28 AM, you wrote to
| bugtraq () securityfocus com:
|
|
| GD> Upon complete DHCP negociation, Alcatel modem will try to
| register the GD> client's DHCP HOSTNAME option into its local DNS
| domain. GD> At this point, it will care about the hostname syntax
| and will also GD> check it for redundancy. GD> It will simply
| discard any DNS dynamic update if the proposed hostname GD> already
| exists. GD> If it doesn't, an entry is added to the end of the
| local zone file. GD> However any new DHCP request for an already
| existing lease, including GD> a redundant HOSTNAME, will bypass
| this checking. GD> We have now two entries with the same hostname
| but two differents ip GD> addresses.
|



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBlmZx9K2fGbOmSdYRApT5AKCIp6yHxELcdgVgw9nZRh0XDo4agACgySRv
edspt0QTZY57qNd34TtALMM=
=E2Gv
-----END PGP SIGNATURE-----