Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 06.11.03: Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router
From: "Kristian Hermansen" <khermans () rcn com>
Date: Thu, 12 Jun 2003 10:57:58 -0400
You know what? I have an SMC7004AWBR which is about the same model as the one mentioned in this advisory (SMC7004VWBR). I'm telling you that if you investigate a similar problem with malformed packets over ANY interface you will definitely find another problem with this router. The reason I know this is because I have an XBOX which I stream movies to from my PC. There is a wireless bridge connected to the back of the XBOX, which communicates to the router using wireless signals with no encryption. My PC is hooked up on one of the internal ports on the router. Every now and then while I am streaming movies, it will freeze up the router and cannot to use it until I power cycle the thing. I had always wondered if this was a bug in the XBOX Media Player software (2.3, 2.4 untested) or a problem with the router. SMC told me there was nothing wrong with the router, of course. This seems to be the general idea of what has been happening and the post caught my eye. I'm sure if someone had the time/resources to investigate further they will find some way to crash the router the same way I have been doing for months now. Of course, this is very bad because anyone can shut me down without even plugging into the router!!! All they need to do is send some bad data over the wireless connection (i think) and the router will freeze up. I think that it may possibly be an infinite loop that the router gets stuck in, but I cannot speculate further. If anyone figures it out let me know since I would love to have a vendor patch for this issue since it pisses me off everytime I watch movies streamed to my XBOX (over 25 times now it has happened using SMB/Windows shares on Win XP and XBMP 2.3, 2.4 untested). Thanks... Kris Hermansen ----- Original Message ----- From: "iDEFENSE Labs" <labs () idefense com> To: <full-disclosure () lists netsys com> Sent: Wednesday, June 11, 2003 6:12 PM Subject: [Full-disclosure] iDEFENSE Security Advisory 06.11.03: Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 06.11.03: http://www.idefense.com/advisory/06.11.03.txt Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router June 11, 2003 I. BACKGROUND SMC Networks' Barricade Wireless Cable/DSL Broadband Router, version SMC7004VWBR, "combines a 4-port 10/100 Mbps dual-speed switch with Automatic MDI-MDIX feature, a high speed 11Mbps wireless access point, Stateful Packet Inspection (SPI) firewall security, network management, and Virtual Private Network (VPN) passthrough support into one convenient device." More information is available at http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si te=c . II. DESCRIPTION The SMC7004VWBR crashes when a specially formatted series of packets are sent to TCP port 1723 (PPTP) on its internal interface. Following the attack, the router remains unresponsive to requests on the wireless portions of the connected LAN, thus preventing users from accessing network resources. III. ANALYSIS By default, the router is listening on TCP port 1723. A default configuration includes enabled wireless access and a DHCP server. Therefore, if appropriate steps have not been taken to secure the device, it is trivial for a remote attacker to conduct the DoS attack by connecting to a targeted network using an 802.11b wireless network interface card. IV. DETECTION Barricade Wireless Router, version SMC7004VWBR, is affected. The vulnerability is confirmed to exist on the following configuration, with previous versions of the firmware suspected as well: Runtime Code Version: v1.20 (Nov 15 2002 22:08:48) Boot Code Version: V1.06 Hardware Version: 01 V. RECOVERY A hard reset is required to restore normal functionality. This requires physical access to the router and can be accomplished by either unplugging the router or by using the reset button located on the back of the router. Remotely restoring normal functionality by using the web-based administrative console is not possible due to the DoS, even from hosts physically connected to the router itself. VI. WORKAROUND The router provides various security controls, one of which allows an administrator to restrict network access via the router only to hosts with authorized MAC addresses. By hard-coding authorized MAC addresses, an attacker would have to spoof a legitimate MAC address to conduct the attack. While this measure does not prevent the attack, it does increase the complexity of conducting an attack, thus reducing the likelihood of somebody undertaking such a venture. VII. VENDOR FIX SMC Networks has released firmware version 1.23 which fixes this vulnerability. It is available for download at http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si te=c#downloads . VIII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0419 to this issue. IX. DISCLOSURE TIMELINE 15 APR 2003 Issue disclosed to SMC Networks (security () smc com) 15 APR 2003 iDEFENSE clients notified 15 APR 2003 Response from olivier () smc-mail com 21 APR 2003 Response from Brian Larsen, Barricade Product Manager 30 APR 2003 Response from Brian Larsen 10 JUN 2003 Firmware 1.23 provided by SMC to iDEFENSE for testing 11 JUN 2003 Coordinated Public Disclosure X. CREDIT Michael Sutton (msutton () idefense com) is credited with discovering this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv () idefense com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world - from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPueT8frkky7kqW5PEQIpYACfXUproAwxaKYB7AeOKa5unfWdqokAnRi9 GP6+cBLAMyZA4vBIXigrztVU =vbiG -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDEFENSE Security Advisory 06.11.03: Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router iDEFENSE Labs (Jun 11)
- <Possible follow-ups>
- Re: iDEFENSE Security Advisory 06.11.03: Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router Kristian Hermansen (Jun 12)
- RE: iDEFENSE Security Advisory 06.11.03: Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router Schmehl, Paul L (Jun 12)
