| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41966671.5020202@sympatico.ca> Date: Sat, 13 Nov 2004 14:54:25 -0500 From: Gregory Duchemin <c3rb3r@...patico.ca> To: bugtraq@...urityfocus.com Subject: Re: Security flaw in ALCATEL/THOMSON Speed Touch Pro ADSL modems -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear 3APA3A, 3APA3A wrote: | Dear Gregory Duchemin, | | In case of the product like ADSL modem is, it's not a bug, but a | leak of feature to secure DHCP and/or dynamic DNS updates, | because it's a way DHCP and DNS are supposed to work and it's | impossible to fix it without implementing protocol extensions. The first flaw lies in a lack of (hostname) collision checking when collision happens within a valid (already) registered lease, Alcatel firmware simply doesn't validate any further Hostname given to it, once the first checking has occured. Second flaw (a direct consequence of the first) appears when deleting a record for the zone (from the web interface), all collisions will then be deleted at once. Such behavior was obviously not expected by programmers. This doesn't require protocol extension, the same care (user input validation) should be applied for *all* DHCP packets received and not only the first one. All the programmatical logic is already there but not correctly implemented. It is correct behavior for a standard DNS to round robbin between several ip adresses when a zone administrator has configured it for this purpose BUT NOT when it comes from a user exploiting a flaw in the server. Moreover Speed touch Pro DNS has no round robbin feature.:-) yes this is really a bug To summarize a bit, this flaw allows to corrupt the local zone file managed by the device and may allows an internal user to trigger DNS based spoofing attacks. | This products are targeted for SOHO (any corporate user already | have DNS/DHCP server implemented) | where this kind of attack does not lead to any serious threats. | In this case, i agree and as mentionned in my post: "It is unlikely that a lot of offices are using Alcatel DNS/DHCP servers but if yours does then read the following." however for offices that may actually use it, *threat is serious*. Gregory | --Friday, November 12, 2004, 9:02:28 AM, you wrote to | bugtraq@...urityfocus.com: | | | GD> Upon complete DHCP negociation, Alcatel modem will try to | register the GD> client's DHCP HOSTNAME option into its local DNS | domain. GD> At this point, it will care about the hostname syntax | and will also GD> check it for redundancy. GD> It will simply | discard any DNS dynamic update if the proposed hostname GD> already | exists. GD> If it doesn't, an entry is added to the end of the | local zone file. GD> However any new DHCP request for an already | existing lease, including GD> a redundant HOSTNAME, will bypass | this checking. GD> We have now two entries with the same hostname | but two differents ip GD> addresses. | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBlmZx9K2fGbOmSdYRApT5AKCIp6yHxELcdgVgw9nZRh0XDo4agACgySRv edspt0QTZY57qNd34TtALMM= =E2Gv -----END PGP SIGNATURE-----
Powered by blists - more mailing lists