[ http://www.rootshell.com/ ]

Date:         Mon, 26 Oct 1998 18:51:09 +0000
From:         Vesselin Mladenov <root@NETBG.COM>
Subject:      USR Netserver 8/16 vulnarable to nestea attack

Three days ago I found out that USR Netserver 8/16 V.34, running version
2.0.14 OS is vulnerable to nestea DoS attack (for more info lookup in
http://www.rootshell.com). I alarmed 3COM by sending them e-mail about the
problem and exact behaviour of the NAS I was playing with. They mailed me
back, telling me that they appreciate I have contacted them, but
unfortunatelly they are too busy to pay attention to my e-mail, so I was
redirected to the local technical support organization. Well, I decided to
forward the message to bugtraq - cause I'm sure the response will be more
rapid and they'll be no more too busy. :)

Here is the message, in general:

--------------------------------------------------
Hi,

I was playing with old nestea program (http://www.rootshell.com) and I
decided to test if my netserver is vulnarable to that attack.
Unfortunatelly it turned out that it is.
The model is NETServer/8 V.34, OS version 4.0.14.
The error message netserver returned to me was:

 bla bla bla .../src/ppp_dsm.c Level CRITICAL: Buffer Alloc Error (3052) ES_NO_BUFMEM

After that netserver stop accepting user logins.
From logfile: "Connection was dropped for user UNKNOWN."

I use RADIUS authentication and accounting.

In 10% of cases netserver was completely dead. I attacked the NAS with 200
repetitions of nestea. If you increase the repetition number, you will not
have to run the nestea twice to kill the netserver completely.

I thing that the problem is in ppp_dsm.c module.
The module is quite buggy - there are other problems with it, but not so
serious as this one.

---------------------------------------------------

That's it.


---------------------------
Vesselin Mladenov
NetBG Ltd.
Phone: +3592-9744260
---------------------------