TUCoPS :: Network Appliances :: napl5108.htm

NetGear gateway denial of service
18th Feb 2002 [SBWID-5108]
COMMAND

	NetGear gateway denial of service

SYSTEMS AFFECTED

	probably all versions

PROBLEM

	Ben Ryan reported following :
	

	found a denial of service in the IP stack of the  Netgear  RM-356.  This
	is your typical `internet gateway in  a  box\'.  Small  businesses  love
	\'em.
	

	this isn\'t exactly  \'end  of  the  internet\'  stuff,  so  I  haven\'t
	bothered to do any coochie-coo vendor-informed  stuff.  Write  bad  code
	and sell it, stand up and be counted  for  your  mistakes.  Even  simple
	testing would have uncovered this.
	

	Using lx252 and nmap-254b30, I performed a udp scan against the  netgear
	nat box, this device has a V90 modem WAN interface. cmd line was:
	

	

	snuff# nmap -sU 210.9.238.103 -T5

	

	

	It seems to be 161/UDP that\'s vulnerable... what a coincidence  :)  TCP
	connect() scans seem to be ok. Upon receipt of the nmap probe,  the  box
	does a crashdump to console. Perhaps this is an overflow? IANAasmdev :)
	

	All your RM-356 are belong to us :)
	

	

	

	

	Menu 24.2.1 - System Maintenance - Information

	                    Name: *******_netgear

	                    Routing: IP

	                    RAS F/W Version: V2.21(I.03) | 3/30/2000

	                    MODEM 1 F/W Version: V2.210-V90_2M_DLS

	                    Country Code: 244

	                    LAN

	                      Ethernet Address: 00:a0:c5:e3:**:**

	                      IP Address: 192.168.0.1

	                      IP Mask: 255.255.255.0

	                      DHCP: Server

	CRASHDUMP::

	54f7a0: 00 54 f7 a8 00 21 e9 38 00 54 f8 10 00 21 e9 38     .T...!.8.T...!.8

	54f7b0: 00 00 00 07 00 41 37 bc 00 2b 09 ca 00 00 00 00     .....A7..+......

	54f7c0: 00 55 24 4c 00 2b 09 b2 00 00 00 00 00 55 24 4c     .U$L.+.......U$L

	54f7d0: 00 00 00 05 00 00 00 00 00 21 16 24 00 57 26 04     .........!.$.W&.

	54f7e0: 00 58 5e e8 00 21 16 24 00 00 26 04 00 21 16 24     .X^..!.$..&..!.$

	54f7f0: 00 41 20 00 00 54 f8 10 00 21 ea 34 00 41 20 00     .A ..T...!.4.A .

	54f800: 00 00 00 07 ff ff ff ff 00 54 f8 10 00 21 e6 6e     .........T...!.n

	54f810: 00 54 f8 2c 00 21 e6 6e 00 41 37 bc ff ff ff ff     .T.,.!.n.A7.....

	54f820: ff ff 20 04 00 5e 2e 60 00 40 f7 20 00 54 f8 68     .. ..^.`.@. .T.h

	54f830: 00 21 b0 00 00 00 00 01 00 2b 09 ca ff ff ff ff     .!.......+......

	54f840: 00 00 00 07 00 2b 09 b2 00 5e 2e 60 00 00 00 00     .....+...^.`....

	54f850: ff ff ff ff 00 00 00 00 00 00 00 00 00 54 f9 9c     .............T..

	54f860: 00 5e 2e 60 00 00 00 00 00 54 f8 a8 00 21 a8 1a     .^.`.....T...!..

	54f870: 00 00 00 07 ff ff ff ff 00 5e 2e 60 00 00 00 00     .........^.`....

	54f880: 00 00 00 08 00 00 00 00 00 00 00 21 00 00 00 24     ...........!...$

	54f890: 00 00 00 00 00 54 f9 9c 00 5f ec d0 00 55 24 4c     .....T..._...U$L

	54f8a0: 00 55 24 4c 00 5e 2e 60 00 54 f8 fc 00 23 b8 42     .U$L.^.`.T...#.B

	

	

	

	Boot Module Version : 4.40. Built at Wed Feb 23 14:00:29 2000

	

	

	 Update

	 ======

	

	Simple Nomad reported that RT338, which is an ISDN  router,  falls  over
	with a udp scan. It does clear on its own, but not before  dropping  the
	connection. Interestingly enough SNMP is not running on it  --  it  just
	choked on the scan, but seems to  handle  a  tcp  scan  ok.  This  would
	suggest that the problem may lie with the filtering code  (most  of  the
	SOHO Netgear devices have some simple acls  for  filtering  traffic)  or
	with the buffers that handle the packets.
	

	I suspect all the RT and RM devices from  Netgear  may  fall  into  this
	category.
	

	

SOLUTION

	nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH