TUCoPS :: Network Appliances :: ascend2.htm

MAX4002, MAX4004, MAX4048, and MAX4072 (MAX TNT?) - retrieve any IP address 
Vulnerability

    ascend

Affected

    MAX4002, MAX4004, MAX4048, and MAX4072 (MAX TNT?)

Description

    Joe Shaw  noticed a  problem in  Ascends microcode  for the Ascend
    MAX 4000  that allowed  any user  to request  any IP  address they
    wanted.  This problem surfaced in the 4.x versions of code,  works
    on 5.0Ap8, and  probably works on  most of the  versions of Ascend
    software.  It was fixed originally some time ago, but the  problem
    resurfaced recently.  It will  work, even if you have  such things
    as Assign Adrs and Pool only set to yes.

    The problem  can be  duplicated by  just making  your settings  in
    windows  Dialup  Networking  say  Specify  IP  Address,  and  then
    setting it to the  ip address of a  machine on the network  you're
    connecting to.  Once connected, Joe telneted from another  machine
    to  his  router,  and  sure  enough,  when  he did a show ip route
    xxx.xxx.xxx.xxx, it showed  that it was  being broadcast via  OSPF
    from one  of our  MAXen, instead  of being  connected directly  to
    FDDI0.   He assumed  he couldn't  get out  to the  network, but in
    attempting to telnet out from the  dialin box, he got to his  core
    cisco and the other machines on his network.

    The ability to take  any IP address means  that a dialin user  can
    take the IP address  of a DNS server,  a router, anything with  an
    IP address.   In some  instances (where  proxy mode  is enabled on
    the MAX) you will be able  to still route to some machines,  while
    not  being  able  to  get  to  others (this depends on the network
    setup).   Also,  it's  possible  to  take  the  IP  address of one
    machine  by  simply  dialing  up,  and  while  doing so, you could
    possibly rcp over a password file or any other file you wanted  to
    as long as the ip address  of the machine is trusted.   This makes
    any  service  that  works  strictly  off  of  authenticatino of IP
    address extremely vulnerable.   You could take over  DNS services,
    grab passwords  for people  checking pop  mail, and  anything else
    you can think of.

Solution

    Latest version (5.0Ap13) seems to have fixed the problem.  This
    can be found at:

        ftp.ascend.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH