lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <41966671.5020202@sympatico.ca>
Date: Sat, 13 Nov 2004 14:54:25 -0500
From: Gregory Duchemin <c3rb3r@...patico.ca>
To: bugtraq@...urityfocus.com
Subject: Re: Security flaw in ALCATEL/THOMSON Speed Touch Pro ADSL modems


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 

Dear 3APA3A,

3APA3A wrote:

| Dear Gregory Duchemin,
|
| In case of the product like ADSL modem is, it's not a bug, but a
| leak of feature  to  secure  DHCP and/or dynamic DNS updates,
| because it's a way DHCP  and DNS are supposed to work and it's
| impossible to fix it without implementing  protocol  extensions.

The first flaw lies in a lack of (hostname) collision checking when
collision happens within a valid (already)  registered lease, Alcatel
firmware simply doesn't validate any further Hostname given to it,
once the first checking has occured.
Second flaw (a direct consequence of the first) appears when deleting
a record for the zone (from the web interface), all collisions will
then be deleted at once. Such behavior was obviously not expected by
programmers.

This doesn't require protocol extension, the same care (user input
validation) should be applied for *all* DHCP packets received and not
only the first one. All the programmatical logic is already there but
not correctly implemented.

It is correct behavior for a standard DNS to round robbin between
several ip adresses when a zone administrator has configured it for
this purpose BUT NOT when it comes from a user exploiting a flaw in
the server.
Moreover Speed touch Pro DNS has no round robbin feature.:-) yes this
is really a bug

To summarize a bit, this flaw allows to corrupt the local zone file
managed by the device and may allows an
internal user to trigger DNS based spoofing attacks.

| This products are targeted for SOHO (any corporate user already
| have DNS/DHCP server implemented)

| where this kind of attack does not lead to any serious threats.
|
In this case, i agree and as mentionned in my post:

"It is unlikely that a lot of offices are using Alcatel DNS/DHCP
servers but if yours does then read the
following."

however for offices that may actually use it,  *threat is serious*.
Gregory

| --Friday, November 12, 2004, 9:02:28 AM, you wrote to
| bugtraq@...urityfocus.com:
|
|
| GD> Upon complete DHCP negociation, Alcatel modem will try to
| register the GD> client's DHCP HOSTNAME option into its local DNS
| domain. GD> At this point, it will care about the hostname syntax
| and will also GD> check it for redundancy. GD> It will simply
| discard any DNS dynamic update if the proposed hostname GD> already
| exists. GD> If it doesn't, an entry is added to the end of the
| local zone file. GD> However any new DHCP request for an already
| existing lease, including GD> a redundant HOSTNAME, will bypass
| this checking. GD> We have now two entries with the same hostname
| but two differents ip GD> addresses.
|



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFBlmZx9K2fGbOmSdYRApT5AKCIp6yHxELcdgVgw9nZRh0XDo4agACgySRv
edspt0QTZY57qNd34TtALMM=
=E2Gv
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ