Re: [Full-Disclosure] iDEFENSE Security Advisory 06.11.03: Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router

[Kristian Hermansen]

You know what?  I have an SMC7004AWBR which is about the same model as the one mentioned in this advisory (SMC7004VWBR).  I'm telling you that if you investigate a similar problem with malformed packets over ANY interface you will definitely find another problem with this router.  The reason I know this is because I have an XBOX which I stream movies to from my PC.  There is a wireless bridge connected to the back of the XBOX, which communicates to the router using wireless signals with no encryption.  My PC is hooked up on one of the internal ports on the router.  Every now and then while I am streaming movies, it will freeze up the router and cannot to use it until I power cycle the thing.  I had always wondered if this was a bug in the XBOX Media Player software (2.3, 2.4 untested) or a problem with the router.  SMC told me there was nothing wrong with the router, of course.  This seems to be the general idea of what has been happening and the post caught my eye. I'm sure if someone had the time/resources to investigate further they will find some way to crash the router the same way I have been doing for months now.  Of course, this is very bad because anyone can shut me down without even plugging into the router!!!  All they need to do is send some bad data over the wireless connection (i think) and the router will freeze up.  I think that it may possibly be an infinite loop that the router gets stuck in, but I cannot speculate further.  If anyone figures it out let me know since I would love to have a vendor patch for this issue since it pisses me off everytime I watch movies streamed to my XBOX (over 25 times now it has happened using SMB/Windows shares on Win XP and XBMP 2.3, 2.4 untested). Thanks... Kris Hermansen ----- Original Message ----- From: "iDEFENSE Labs" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 11, 2003 6:12 PM Subject: [Full-Disclosure] iDEFENSE Security Advisory 06.11.03: Denial of Service Vulnerability in SMC Networks' Barricade Wireless Router > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > iDEFENSE Security Advisory 06.11.03: > http://www.idefense.com/advisory/06.11.03.txt > Denial of Service Vulnerability in SMC Networks' Barricade Wireless > Router > June 11, 2003 > > I. BACKGROUND > > SMC Networks' Barricade Wireless Cable/DSL Broadband Router, version > SMC7004VWBR, "combines a 4-port 10/100 Mbps dual-speed switch with > Automatic MDI-MDIX feature, a high speed 11Mbps wireless access point, > Stateful Packet Inspection (SPI) firewall security, network management, > and Virtual Private Network (VPN) passthrough support into one > convenient device." More information is available at > http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si > te=c . > > II. DESCRIPTION > > The SMC7004VWBR crashes when a specially formatted series of packets > are sent to TCP port 1723 (PPTP) on its internal interface. Following > the attack, the router remains unresponsive to requests on the wireless > portions of the connected LAN, thus preventing users from accessing > network resources. > > III. ANALYSIS > > By default, the router is listening on TCP port 1723. A default > configuration includes enabled wireless access and a DHCP server. > Therefore, if appropriate steps have not been taken to secure the > device, it is trivial for a remote attacker to conduct the DoS attack > by connecting to a targeted network using an 802.11b wireless network > interface card. > > IV. DETECTION > > Barricade Wireless Router, version SMC7004VWBR, is affected. The > vulnerability is confirmed to exist on the following configuration, > with previous versions of the firmware suspected as well: > > Runtime Code Version: v1.20 (Nov 15 2002 22:08:48) > Boot Code Version: V1.06 > Hardware Version: 01 > > V. RECOVERY > > A hard reset is required to restore normal functionality. This requires > physical access to the router and can be accomplished by either > unplugging the router or by using the reset button located on the back > of the router. Remotely restoring normal functionality by using the > web-based administrative console is not possible due to the DoS, even > from hosts physically connected to the router itself. > > VI. WORKAROUND > > The router provides various security controls, one of which allows an > administrator to restrict network access via the router only to hosts > with authorized MAC addresses. By hard-coding authorized MAC addresses, > an attacker would have to spoof a legitimate MAC address to conduct the > attack. While this measure does not prevent the attack, it does > increase the complexity of conducting an attack, thus reducing the > likelihood of somebody undertaking such a venture. > > VII. VENDOR FIX > > SMC Networks has released firmware version 1.23 which fixes this > vulnerability. It is available for download at > http://www.smc.com/index.cfm?sec=Products&pg=Product-Details&prod=258&si > te=c#downloads . > > VIII. CVE INFORMATION > > The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project > has assigned the identification number CAN-2003-0419 to this issue. > > IX. DISCLOSURE TIMELINE > > 15 APR 2003      Issue disclosed to SMC Networks ([EMAIL PROTECTED]) > 15 APR 2003      iDEFENSE clients notified > 15 APR 2003      Response from [EMAIL PROTECTED] > 21 APR 2003      Response from Brian Larsen, Barricade >                  Product Manager > 30 APR 2003      Response from Brian Larsen > 10 JUN 2003      Firmware 1.23 provided by SMC to iDEFENSE >                  for testing > 11 JUN 2003      Coordinated Public Disclosure > > X. CREDIT > > Michael Sutton ([EMAIL PROTECTED]) is credited with discovering this > vulnerability. > > > Get paid for security research > http://www.idefense.com/contributor.html > > Subscribe to iDEFENSE Advisories: > send email to [EMAIL PROTECTED], subject line: "subscribe" > > > About iDEFENSE: > > iDEFENSE is a global security intelligence company that proactively > monitors sources throughout the world - from technical > vulnerabilities and hacker profiling to the global spread of viruses > and other malicious code. Our security intelligence services provide > decision-makers, frontline security professionals and network > administrators with timely access to actionable intelligence > and decision support on cyber-related threats. For more information, > visit http://www.idefense.com . > > -----BEGIN PGP SIGNATURE----- > Version: PGP 8.0 > > iQA/AwUBPueT8frkky7kqW5PEQIpYACfXUproAwxaKYB7AeOKa5unfWdqokAnRi9 > GP6+cBLAMyZA4vBIXigrztVU > =vbiG > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >