|
COMMAND Ascend routers info leakage + default snmp gives write access to configuration SYSTEMS AFFECTED Lucent Pipline, MAX, DSL-Terminator. (Formerly known under Ascend Router product line) PROBLEM In FX [fx@phenoelit.de] and kim0 [kim0@phenoelit.de] of Phenoelit Group [http://www.phenoelit.de] advisroy [http://www.phenoelit.de/stuff/Lucent_Ascend.txt] : The product line formerly known under the name of "Ascend" running the TAOS Operating System provides an easy to use and support interface. This interface includes an undocumented protocol that provides an easy method to identify and query the devices. (similar to the Cisco CDP problem but remote). When sending a crafted UDP packet to the devices UDP discard port (9), the device will answer with a packet containing valuable information such as the host's name, MAC, IP address of the Ethernet Interface, Serial number, device type and installed features. By sending a packet with the SNMP WRITE community, a remote attacker can change the devices IP address, netmask or name. [ Example ] linux# irpas/dfkaa 192.168.1.11 DFKAA - Devices Formerly Known As Ascend FX <fx@phenoelit.de> - http://www.phenoelit.de/ $Revision: 1.22 $ - IRPAS Build XL (c) 2001++ >>ascend<< [Probe response] ADP version: 2 *MAC addr: 00:C0:7B:89:DD:86 IP addr: 192.168.1.11/255.255.255.0 *Serial number: 9990826374 Device type: Ascend Pipeline 75 Features: 0004 0030 0140 0000 *Device Serial number number and MAC have been changed SOLUTION None yet