[37355] in bugtraq
Re: Security flaw in ALCATEL/THOMSON Speed Touch Pro ADSL modems
daemon@ATHENA.MIT.EDU (3APA3A)
Sat Nov 13 15:33:24 2004
Date: Sat, 13 Nov 2004 11:50:51 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <1101412908.20041113115051@SECURITY.NNOV.RU>
To: Gregory Duchemin <c3rb3r@sympatico.ca>
Cc: bugtraq@securityfocus.com
In-Reply-To: <419451F4.8020904@sympatico.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Dear Gregory Duchemin,
In case of the product like ADSL modem is, it's not a bug, but a leak of
feature to secure DHCP and/or dynamic DNS updates, because it's a way
DHCP and DNS are supposed to work and it's impossible to fix it without
implementing protocol extensions. This products are targeted for SOHO
(any corporate user already have DNS/DHCP server implemented) where this
kind of attack does not lead to any serious threats.
--Friday, November 12, 2004, 9:02:28 AM, you wrote to bugtraq@securityfocus.com:
GD> Upon complete DHCP negociation, Alcatel modem will try to register the
GD> client's DHCP HOSTNAME option into its local DNS domain.
GD> At this point, it will care about the hostname syntax and will also
GD> check it for redundancy.
GD> It will simply discard any DNS dynamic update if the proposed hostname
GD> already exists.
GD> If it doesn't, an entry is added to the end of the local zone file.
GD> However any new DHCP request for an already existing lease, including
GD> a redundant HOSTNAME, will bypass this checking.
GD> We have now two entries with the same hostname but two differents ip
GD> addresses.
--
~/ZARAZA
Появился новый тип элементарных частиц - шкварки.
Не очень большие, слегка подгоревшие. (Лем)
