lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: khermans at rcn.com (Kristian Hermansen)
Subject: iDEFENSE Security Advisory 06.11.03: Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router

You know what?  I have an SMC7004AWBR which is about the same model as the
one mentioned in this advisory (SMC7004VWBR).  I'm telling you that if you investigate a
similar problem with malformed packets over ANY interface you will
definitely find another problem with this router.  The reason I know this is
because I have an XBOX which I stream movies to from my PC.  There is a
wireless bridge connected to the back of the XBOX, which communicates to the
router using wireless signals with no encryption.  My PC is hooked up on one
of the internal ports on the router.  Every now and then while I am
streaming movies, it will freeze up the router and cannot to use it until I
power cycle the thing.  I had always wondered if this was a bug in the XBOX
Media Player software (2.3, 2.4 untested) or a problem with the router.  SMC
told me there was nothing wrong with the router, of course.  This seems to
be the general idea of what has been happening and the post caught my eye.
I'm sure if someone had the time/resources to investigate further they will
find some way to crash the router the same way I have been doing for months
now.  Of course, this is very bad because anyone can shut me down without
even plugging into the router!!!  All they need to do is send some bad data
over the wireless connection (i think) and the router will freeze up.  I
think that it may possibly be an infinite loop that the router gets stuck
in, but I cannot speculate further.  If anyone figures it out let me know
since I would love to have a vendor patch for this issue since it pisses me
off everytime I watch movies streamed to my XBOX (over 25 times now it has
happened using SMB/Windows shares on Win XP and XBMP 2.3, 2.4 untested). Thanks...

Kris Hermansen

----- Original Message ----- 
From: "iDEFENSE Labs" <labs@...fense.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Wednesday, June 11, 2003 6:12 PM
Subject: [Full-Disclosure] iDEFENSE Security Advisory 06.11.03: Denial of
Service Vulnerability in SMC Networks' Barricade Wireless Router


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDEFENSE Security Advisory 06.11.03:
> http://www.idefense.com/advisory/06.11.03.txt
> Denial of Service Vulnerability in SMC Networks' Barricade Wireless
> Router
> June 11, 2003
>
> I. BACKGROUND
>
> SMC Networks' Barricade Wireless Cable/DSL Broadband Router, version
> SMC7004VWBR, "combines a 4-port 10/100 Mbps dual-speed switch with
> Automatic MDI-MDIX feature, a high speed 11Mbps wireless access point,
> Stateful Packet Inspection (SPI) firewall security, network management,
> and Virtual Private Network (VPN) passthrough support into one
> convenient device." More information is available at
> http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si
> te=c .
>
> II. DESCRIPTION
>
> The SMC7004VWBR crashes when a specially formatted series of packets
> are sent to TCP port 1723 (PPTP) on its internal interface. Following
> the attack, the router remains unresponsive to requests on the wireless
> portions of the connected LAN, thus preventing users from accessing
> network resources.
>
> III. ANALYSIS
>
> By default, the router is listening on TCP port 1723. A default
> configuration includes enabled wireless access and a DHCP server.
> Therefore, if appropriate steps have not been taken to secure the
> device, it is trivial for a remote attacker to conduct the DoS attack
> by connecting to a targeted network using an 802.11b wireless network
> interface card.
>
> IV. DETECTION
>
> Barricade Wireless Router, version SMC7004VWBR, is affected. The
> vulnerability is confirmed to exist on the following configuration,
> with previous versions of the firmware suspected as well:
>
> Runtime Code Version: v1.20 (Nov 15 2002 22:08:48)
> Boot Code Version: V1.06
> Hardware Version: 01
>
> V. RECOVERY
>
> A hard reset is required to restore normal functionality. This requires
> physical access to the router and can be accomplished by either
> unplugging the router or by using the reset button located on the back
> of the router. Remotely restoring normal functionality by using the
> web-based administrative console is not possible due to the DoS, even
> from hosts physically connected to the router itself.
>
> VI. WORKAROUND
>
> The router provides various security controls, one of which allows an
> administrator to restrict network access via the router only to hosts
> with authorized MAC addresses. By hard-coding authorized MAC addresses,
> an attacker would have to spoof a legitimate MAC address to conduct the
> attack. While this measure does not prevent the attack, it does
> increase the complexity of conducting an attack, thus reducing the
> likelihood of somebody undertaking such a venture.
>
> VII. VENDOR FIX
>
> SMC Networks has released firmware version 1.23 which fixes this
> vulnerability. It is available for download at
> http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si
> te=c#downloads .
>
> VIII. CVE INFORMATION
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2003-0419 to this issue.
>
> IX. DISCLOSURE TIMELINE
>
> 15 APR 2003      Issue disclosed to SMC Networks (security@....com)
> 15 APR 2003      iDEFENSE clients notified
> 15 APR 2003      Response from olivier@...-mail.com
> 21 APR 2003      Response from Brian Larsen, Barricade
>                  Product Manager
> 30 APR 2003      Response from Brian Larsen
> 10 JUN 2003      Firmware 1.23 provided by SMC to iDEFENSE
>                  for testing
> 11 JUN 2003      Coordinated Public Disclosure
>
> X. CREDIT
>
> Michael Sutton (msutton@...fense.com) is credited with discovering this
> vulnerability.
>
>
> Get paid for security research
> http://www.idefense.com/contributor.html
>
> Subscribe to iDEFENSE Advisories:
> send email to listserv@...fense.com, subject line: "subscribe"
>
>
> About iDEFENSE:
>
> iDEFENSE is a global security intelligence company that proactively
> monitors sources throughout the world - from technical
> vulnerabilities and hacker profiling to the global spread of viruses
> and other malicious code. Our security intelligence services provide
> decision-makers, frontline security professionals and network
> administrators with timely access to actionable intelligence
> and decision support on cyber-related threats. For more information,
> visit http://www.idefense.com .
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBPueT8frkky7kqW5PEQIpYACfXUproAwxaKYB7AeOKa5unfWdqokAnRi9
> GP6+cBLAMyZA4vBIXigrztVU
> =vbiG
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030612/ba25a25f/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ