COMMAND

	Ascend routers info  leakage  +  default  snmp  gives  write  access  to
	configuration

SYSTEMS AFFECTED

	Lucent  Pipline,  MAX,  DSL-Terminator.  (Formerly  known  under  Ascend
	Router product line)

PROBLEM

	In FX [fx@phenoelit.de] and kim0 [kim0@phenoelit.de] of Phenoelit  Group
	[http://www.phenoelit.de]                                       advisroy
	[http://www.phenoelit.de/stuff/Lucent_Ascend.txt] :
	

	The product line formerly known under the name of "Ascend"  running  the
	TAOS Operating System provides an easy to  use  and  support  interface.
	This interface includes an undocumented protocol that provides  an  easy
	method to identify and query the devices.  (similar  to  the  Cisco  CDP
	problem but remote).
		

	When sending a crafted UDP packet to the devices UDP discard  port  (9),
	the device will answer with a  packet  containing  valuable  information
	such as the host's name, MAC, IP  address  of  the  Ethernet  Interface,
	Serial number, device type and installed features. By sending  a  packet
	with the SNMP WRITE community, a remote attacker can change the  devices
	IP address, netmask or name.
	

	[ Example ]
	

	linux# irpas/dfkaa 192.168.1.11    

	DFKAA - Devices Formerly Known As Ascend

	FX <fx@phenoelit.de> - http://www.phenoelit.de/

	$Revision: 1.22 $ - IRPAS Build XL

	(c) 2001++

	

	>>ascend<< 

	       	[Probe response]

	        ADP version:    2

	        *MAC addr:      00:C0:7B:89:DD:86

	        IP addr:        192.168.1.11/255.255.255.0

	        *Serial number: 9990826374

	        Device type:    Ascend Pipeline 75

	        Features:       0004 0030 0140 0000

	

	*Device Serial number number and MAC have been changed

SOLUTION

	None yet