[Fwd: Netscreen 25 unauthorised reboot issue]

Wed, 12 Jun 2002 22:54:45 -0700 


Forwarded from Bugtraq:

Something that looks very much like an exploitable buffer overrun
in (at least? only?) netscreen 25. 

I'm not sure I'd only call this an "unauthorised reboot issue", 
and the reason I'm saying it is that "remote reboot" isn't enough 
to get some people to push out upgrades. Running a risk of "remote 
control" is another thing altogether.


-------- Original Message --------
Subject: Netscreen 25 unauthorised reboot issue
Date: Mon, 27 May 2002 18:33:31 +0100
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

 Please note that this advisory was prepared, before speaking to
Netscreen's US operation. Nothing of this vulnerability has been
discussed here ( or on vun-dev) hence this email. Additionally it is not
shown on netscreen's security alerts page
(http://www.netscreen.com/support/alert.html) as of 25.05.2002.

After speaking to their 3rd line support in the US (eventually) I was
informed
that this had been fixed.

Indeed problem *has* been fixed as of  ScreenOS 3.0.1r2 ( however you
have to look in the release notes to discover this - ref cs00232). I
wonder how many people are still running affected firmware ?
 
 #Synopsis
 
 A remote user ( who is un authenticated ) can cause a netscreen 25 (
other versions untested) to reboot remotely. Software Version 3.0.1r1.1 
which was current as of about 1 month ago and has no alerts shown
against it on netscreen's security alert's page.
 
 #Method
 
 Log on to the netscreen with a user name of
 

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
 and the device reboots
 
 this looks similar to
 http://www.net-security.org/vuln.php?id=577
 from a year ago
 
 remote syslog shows just that the device's interfaces came back up
 

 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface trust
has
 changed to Up (2002-05-24 13:36:47)
 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface untrust
 has changed to Up (2002-05-24 13:36:47)
 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface DMZ has
 changed to Up (2002-05-24 13:36:48)

##### Start of console output

phaedra-> *******************************************************
                Exception Dump
*******************************************************
System up time: 3 hours 20 minutes 48 seconds
Exception(Instruction TLB Miss)
GPR:
R0: 78787878   R1: 03044e50  R2: 00470928  R3: 00000000
R4: 03044e08   R5: 000000ac  R6: 0074bde8  R7: 78787878
R8: 004c9d70   R9: 03a81d50  R10: 004fcb58 R11: 004d0000
R12: 40000024  R13: 004d1344 R14: 000d0904 R15: 80020020
R16: 43c00da1  R17: 300b6030 R18: 60101022 R19: 00000000
R20: 00750000  R21: 00470000 R22: 00000001 R23: 00755078
R24: 78787878  R25: 78787878 R26: 78787878 R27: 78787878
R28: 78787878  R29: 78787878 R30: 78787878 R31: 78787878
Special Register:
CR: 20000024   XER: 00000000  LR: 78787878    CTR: 00000000
MSR: 00021200  SRR0: 78787878 SRR1: 00029230  SRR2: 00300044
SRR3: 00000000 DBSR: 00000000 TCR: fc000000   TSR: 04000000
ESR: 00000000  DEAR: 00000000 PID: 00000000
*******************************************************
                Exception Dump
*******************************************************
System up time: 3 hours 20 minutes 48 seconds
Exception(Machine Check)
GPR:
R0: 78787878   R1: 03044d68  R2: 00470928  R3: 00000000
R4: 00000000   R5: 00000000  R6: 78787878  R7: 002fffd4
R8: 004c9d70   R9: 00000000  R10: 000002ec R11: 00000020
R12: 40000024  R13: 004d1344 R14: 000d0904 R15: 80020020
R16: 43c00da1  R17: 300b6030 R18: 60101022 R19: 00000000
R20: 00750000  R21: 00470000 R22: 00000001 R23: 00755078
R24: 78787878  R25: 78787878 R26: 78787878 R27: 00000001
R28: 03044d94  R29: 0000001f R30: 78787878 R31: 00000000
Special Register:
CR: 40000024   XER: 20000000  LR: 002fffd4    CTR: 00000000
MSR: 00000000  SRR0: 78787878 SRR1: 00029230  SRR2: 00300044
SRR3: 00021200 DBSR: 00000000 TCR: fc000000   TSR: 0c000000
ESR: 00000000  DEAR: 00000000 PID: 00000000
Trace Dump:
00300044 002fffd4 002ff8f4 002fee04 00000000
System Level:
Image In Interrupt Level
********************************************************
        Please use GDB to track the trace
********************************************************
�

NetScreen PowerPC 405GP BootROM V1.01
(c)1997-2002 NetScreen Technologies Inc. All rights reserved

Check Platform...... NS-25

<snip normal netscreen start up>

###### End


 
#Preliminary Conclusions
 
restrict the IP's that can connect to the web interface.

and upgrade to the latest version of screen OS

#Vendor status

They had (as mentioned above) already fixed this issue , but had ( in my
personal opinion) not publicized it very well, hence this post.



Q

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
"I just went visual on this goofy looking Finn riding on a gnu, wielding
one pissed off penguin...
gah" 
   Bob The Sane
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to