Hardware Exploit - Gets network Down

[netsec () GFI COM (netsec [davidv])]

Subject: Allegro-Software-RomPager/2.10 vulnerable to Dos Attack

Risk: Serious!

*Timescape*

/*
Advisory TS002 -------------------------------------------

Allegro-Software-RomPager is an http server which is
used in network hardware like switches to provide a
web interface to remotely configure your hardware.

Recently I was bashing up a D-Link DES-3224+ ethernet
switch and after submitting a number of invalid authentication
requests to the Allegro-Software-RomPager installed on
it I managed to freeze the whole switch putting all the
network down.

It seems that sending an incorrect request to the switch
will cause the http server to crash and then crashing
the actual switch.  I only tested this on a D-Link DES-3224+
however there are other companies which use the Allegro
software for their devices.

Companies which use it are (as on Allegro website):
3Com
Acacia Networks
AccessLan Communications
Agilent Corporation
American Power Conversion
Andover Controls Corporation
Casio
Cisco Systems
D-Link Systems, Inc.
eNote Corporation
Netopia Communications
Xerox
... and other companies
    at http://www.allegrosoft.com/innovators.html

This is rather serious as if all these hardware items
can be crashed by just an invalid request a typical
blackhat can crash a whole company infrastructure in
a couple of minutes.

Also APC (American Power Supplies) use it and if
anyone has a UPS of APC with RomPager try to test it
out.  I hope the RomPager does not have any control of
the actual power supply.

I wont release any exploit apps. for now.

Please email me of any hardware you may find which is
expoitable so I can mantain a list.

Thanks to USSRlabs; Max Vision; rfp; Dragos and other people at the
CanSecWest.

Timescape

EMAIL: vellad () kattare com

DISCLAIMER:

I cannot

TS002---------------------------------------------*/

www.windows2000security.com

This disclaimer was sent by Mail essentials for Exchange/SMTP.
Mail essentials adds content checking of inbound and outbound mail,
PGP email encryption, disclaimers, anti virus, anti spam, mail
archiving outbound mail compression, personalised auto replies
and more to Exchange server!

More information on http://www.gficomms.com/mesindex.htm

To send us secure email, use our PGP key below. Mail essentials will
automatically decrypt your message at our Exchange server.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQBtAze7peIAAAEDAMI1Yd0d6Yox5qVaoDpbMXR9/alPxkXW+My+d95oFx4AxjI/
FGOkBb12hrMsrZrH7Ljm0C3Ek5PUlrV+5XTItehzVF5I0NJzAfmqQvmOwSTHD91M
QzCgD9TpVyBS1JkdcwAFEbQhR0ZJIEZBWCAmIFZPSUNFIDxpbmZvQGdmaWZheC5j
b20+iQB1AwUQN7ul4ulXIFLUmR1zAQHDNQL+OOyhr1+T7irwJNfUI4AX8c9CakPU
h9GkdwxdgrfmMAXjxZvQzZqsgpGe4z2SjWA3nBJS8nvLetb6L8dOmNenfH2/3Ar/
XoLIrLfK7APVcctSBiiA56Q4Gnnl+FQO6oYq
=ZmhW
-----END PGP PUBLIC KEY BLOCK-----