[NEWS] 3Com NBX VoIP NetSet DoS

• Previous message: SecuriTeam: "[EXPL] Windows Lsasrv.dll Remote Universal Exploit (MS04-011)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 2 May 2004 11:52:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  3Com NBX VoIP NetSet DoS
------------------------------------------------------------------------

SUMMARY

3Com SuperStack 3 NBX and 3Com NBX 100 networked telephony solutions
"offer wide-ranging price/performance alternatives to fit your business
needs today and tomorrow. 3Com SuperStack 3 NBX Networked Telephony
Solution Delivers robust, full-featured business communications for up to
1500 devices (lines/stations) Ensures high system availability with the
Wind River VxWorks real-time operating system (also used in pacemakers and
artificial hearts), so server and PC downtime does not impact your
telephone service".

It is possible to make the remote Virata-EmWeb/R6.0.3 server (the NBX
Netset application) crash by running a standard Nessus scan in safeChecks
mode (Note: Saftchecks mode only does web queries and XSS).

DETAILS

Vulnerable Systems:
 * 3Com NBX firmware version 4.2.7 (with embedded web server
Virata-EmWeb/R6.0.3).

The 3Com NBX uses VxWorks Embedded Real time Operating system and what
appears to be Virata-EmWeb/R6.0.3 web server. This web server is used by
the NetSet configuration program to update/reboot/backup/configure and
check status on the 3Com NBX VoIP call manager. It is also used by each
phone user to change speed dial numbers, configure call forwarding and
other features of their individual phone sets.

By running the Nessus vulnerabilities scanner, in safeChecks mode, a
hacker or user can disable the Netset status, Call detail functions,
maintenance functions, including the ability to 'soft boot' the system
(NOTE: you may still be able to connect a 9600 baud terminal to the 3Com
NBX Call Manager and soft boot system, but this requires physical access
and would need to be done each and every time someone ran Nessus. Also
note, that with the proliferation of web based attacks on the net lately,
and the fact that the Nessus tests are just a 'safe' version of these
exploits, this creates a serious problem for the NBX).

ADDITIONAL INFORMATION

The information has been provided by <mailto:scheidell@secnap.net>
Michael Scheidell.

The original article can be found at:
<http://www.secnap.net/security/20040420.html>
http://www.secnap.net/security/20040420.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Windows Lsasrv.dll Remote Universal Exploit (MS04-011)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]