mailing list archives
Arescom NetDSL-1000 telnetd DoS
From: Pim van Riezen <pi () madscience nl>
Date: Sat, 9 Feb 2002 00:32:11 -0800
The Arescom NetDSL-1000 series of dsl routers is in common use by a number
of dsl providers. It offers connectivity to the dsl circuit through
ethernet and USB. They are intended to be delivered to dsl customers as
pre-configured black boxen, customers don't get to know the configuration
The router leaves a telnet-port open for the ISP to reconfigure the router
if the need arises. The software serving this telnet port is not aware of
actual sessions: The telnet connection gets wired in software directly to
something behaving more like a serial console. When you connect to it, it
asks for a configuration password. If you pass it a long string (say the
good old 'a'x256) the login system will break this request in a couple of
shorter chunks and interpret each of these chunks as a separate attempt to
log in. After three or so failures, the telnet connection is closed off.
If you reconnect after such a failure and used these long strings, you can
see the login system continuing the parsing of your previous password
attempt, immediately throwing a couple more login failures to your screen
even before you type anything.
If you flood the telnet configuration a couple dozen times with long
strings, eventually the telnetd service flat out dies. Routing functions
of the NetDSL continue to work fine as before. It is unknown whether only
the telnetd service is affected, other means of remote configuration may
have become unavailable as well.
Depending on which side of the NetDSL router you are on, this DoS
vulnerability is either a liability or a benefit. From the customer point
of view, having the router unavailable for remote probing and
configuration by the ISP could be considered a Good Thing. Obviously, dsl
providers have other priorities. No solution beyond powerflipping the
NetDSL have been found.
KONG Died for http://nexus.madscience.nl/pim/