Ascend MAX 4000 IP address theft flaw

Date: Thu, 26 Jun 1997 16:47:49 -0500
From: Joe Shaw <jshaw@INSYNC.NET>
To: BUGTRAQ@NETSPACE.ORG
Subject: Ascend DoS attack

Problem:
Recently, we noticed a problem in Ascends microcode for the Ascend MAX
4000 that allowed any user to request any IP address they wanted.  This
problem surfaced in the 4.x versions of code, works on 5.0Ap8, and
probably works on most of the versions of Ascend software.
It was fixed originally some time ago (or at least thats what I was led to
believe by Ascend), but the problem resurfaced recently.  It will work,
even if you have such things as Assign Adrs and Pool only set to yes.

The problem can be duplicated by just making your settings in windows
Dialup Networking say Specify IP Address, and then setting it to the ip
address of a machine on the network you're connecting to.  Once connected,
I telneted from another machine to our router, and sure enough, when I did
a show ip route xxx.xxx.xxx.xxx, it showed that it was being broadcast via
OSPF from one of our MAXen, instead of being connected directly to FDDI0.
I assumed I couldn't get out to the network, but in attempting to telnet
out from the dialin box, I got to our core cisco and the other machines on
our network.

Possibilities:
The ability to take any IP address means that a dialin user can take the
IP address of a DNS server, a router, anything with an IP address.  In
some instances (where proxy mode is enabled on the MAX) you will be able
to still route to some machines, while not being able to get to others
(this depends on the network setup).  Also, it's possible to take the IP
address of one machine by simply dialing up, and while doing so, you could
possibly rcp over a password file or any other file you wanted to as long
as the ip address of the machine is trusted.  This makes any service that
works strictly off of authenticatino of IP address extremely vulnerable.
You could take over DNS services, grab passwords for people checking pop
mail, and anything else you can think of.

Solution:
After some poking around, I upgraded all the MAXen to the latest
version (5.0Ap13), which seems to have fixed the problem.  I know most
Ascend users are leary of doing this, since features are fixed, then
broken in later versions of code.  But, 5.0Ap13 has been working since the
begining of this week and has proven to be stable doing multi-chasis
stacking and OSPF.

Sidenotes:
I don't know if this will work on the MAX TNT, but I'm fairly sure it will
work on the MAX4002, MAX4004, MAX4048, and MAX4072.  If you have one of
these units, I'd test and make sure, and if you're vulnerable, get the
latest version of code off ftp.ascend.com.

Joe Shaw - jshaw@insync.net
NetAdmin - Insync Internet Services
Learn more, and you will never starve.