[8294] in bugtraq

home help back first fref pref prev next nref lref last post

USR Netserver 8/16 vulnarable to nestea attack

daemon@ATHENA.MIT.EDU (Vesselin Mladenov)
Mon Oct 26 14:12:23 1998

Date: 	Mon, 26 Oct 1998 18:51:09 +0000
Reply-To: Vesselin Mladenov <root@NETBG.COM>
From: Vesselin Mladenov <root@NETBG.COM>
To: BUGTRAQ@NETSPACE.ORG

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--0__=b2knqRfeA42B7T4cYveBhSGqajgt97NtuJxNnvljmIyagyS1zdNH6ZBV
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.LNX.3.96.981026182012.26114D@mail.netbg.com>

Three days ago I found out that USR Netserver 8/16 V.34, running version
2.0.14 OS is vulnerable to nestea DoS attack (for more info lookup in
http://www.rootshell.com).
I alarmed 3COM by sending them e-mail about the problem and exact behaviour
of the NAS I was playing with.
They mailed me back, telling me that they appreciate I have contacted them,
but unfortunatelly they are too busy to pay attention to my e-mail, so I was
redirected to the local technical support organization.
Well, I decided to forward the message to bugtraq - cause I'm sure the
response will be more rapid and they'll be no more too busy. :)

Here is the message, in general:

--------------------------------------------------
Hi,

I was playing with old nestea program (http://www.rootshell.com) and I
decided to test if my netserver is vulnarable to that attack.
Unfortunatelly it turned out that it is.
The model is NETServer/8 V.34, OS version 4.0.14.
The error message netserver returned to me was:

 bla bla bla .../src/ppp_dsm.c Level CRITICAL: Buffer Alloc Error (3052) ES_NO_BUFMEM

After that netserver stop accepting user logins.
From logfile: "Connection was dropped for user UNKNOWN."

I use RADIUS authentication and accounting.

In 10% of cases netserver was completely dead. I attacked the NAS with 200
repetitions of nestea. If you increase the repetition number, you will not
have to run the nestea twice to kill the netserver completely.

I thing that the problem is in ppp_dsm.c module.
The module is quite buggy - there are other problems with it, but not so
serious as this one.

---------------------------------------------------

That's it.


---------------------------
Vesselin Mladenov
NetBG Ltd.
Phone: +3592-9744260
---------------------------

--0__=b2knqRfeA42B7T4cYveBhSGqajgt97NtuJxNnvljmIyagyS1zdNH6ZBV--

home help back first fref pref prev next nref lref last post