5861 IP Filtering issues

From: Edward wilkinson (ewilkinson@efficient.com)
Date: 01/23/03

  • Next message: secure@conectiva.com.br: "[CLA-2003:562] Conectiva Linux Security Announcement - dhcp"
    Date: 23 Jan 2003 22:05:37 -0000
    From: Edward wilkinson <ewilkinson@efficient.com>
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Product: Efficient Networks 5861 DSL Router
                    http://www.efficient.com/ebz/5800.html
    Tested version: 5.3.80 (Latest firmware)
    Advisory date: 10/01/2003
    Severity: Moderate

    Details

    When using the built in IP filtering to block incoming TCP SYN flags, a
    simple port scan to the WAN interface of the router will cause it to lock
    up, and eventually restart.

    This has been tested on two different 5861 routers, both running the above
    firmware version.

    Port scanners used were Nmap (Linux) and SuperScan (Windows)

    Solution:

    There are three possible solutions to this exploit. Any one of these
    solutions can be implemented to avoid the exploit:
    1. Remove the filter rule that specifically drops packets with the
    TCP SYN flag set.
    2. Turn off console logging of dropped packets.
    Note: If you require logging to be on then you must increase the console
    baud rate.
    3. Increase the console baud rate to 57600.

    How to implement the above solutions:
    Remove the filter rule that specifically drops packets with the TCP SYN
    flag set
    This will not alter your security settings since the SYN flag will be
    caught by the global drop rule at the end of the script.
    · Login to the router using the Console or Telnet.
    · Type the command:
    remote ipfilter flush 0 input internet (flush zero).
    Alternate command:
    remote ipfilter delete input drop -p tcp -tcp syn internet
    · Type the “save” command
    · Type the “reboot” command
    Note: If the name of your remote profile is not “Internet”, then
    substitute the correct name. To determine what the remote profile name
    is, simply type the command “iproutes”, and look in the “gateway” column
    for the correct name.
    Turn off console logging of dropped packets
    Note: This is highly recommended if you are not actively monitoring your
    firewall activity.
    · Login to the router using the Console or Telnet.
    · Type the command:
    remote ipfilter watch off internet
    · Type the “save” command
    · Type the “reboot” command
    Increase the console baud rate to 57600.
    If you are actively monitoring your firewall, you can leave the above
    filters and logging in place, and still avoid the exploit by increasing
    the baud rate of the console interface.
    Note: Remember that your terminal software setting must match this baud
    rate after making this change on the router.
    · Access the “boot menu” on the router:
    1. Cut the end off an old Ethernet cable
    2. strip the wires back and twist all of the bare wires of the cable
    together.
    3. Plug the unmodified cable end into the console port on the router.
    4. Power cycle the router.
    5. Wait about one minute for the router to complete its boot-up.
    6. Remove the modified cable end, and connect a standard Ethernet
    straight cable to the console port. Connect the other end of the Ethernet
    cable to the RJ45 to DB9 adapter provided with your router. Connect the
    adapter to the DB9 serial interface on your computer.
    7. Open up Hyper-terminal or any other terminal emulator program, and
    configure it as follows.
    Direct to com1 (or com2, or com3, or com4 depending on which one your
    computer recognizes)

    8. The boot menu looks like this:
    1. Retry start-up
    2. Boot from Flash memory
    3. Boot from network
    4. Boot from specific file
    5. Configure boot system
    6. Set date and time
    7. Set console baud rate
    8. Start extended diagnostics
    9. Reboot

    Enter selection: 7
    Desired baud rate [9600]: 57600
    Do you want the change to 57600 to take effect now ? [Y] y

    · Once you have accessed the boot menu:
    - Select option 7
    - Enter the desired baud rate of 57600
    - Indicate Yes for the change to take effect immediately
    · Power cycle the router
    · Your baud rate is not set to 57600, so be sure to re-configure
    your terminal emulator software to the same setting before you try to
    connect again.

    Additional Comments:
    The default firewall scripts that are contained on the router can be
    edited to meet your specific security needs. It is strongly recommended
    that you familiarize yourself with the specifics of the level of security
    that you have chosen from the Web interface.
    To edit the default script files:
    1. Connect to the router’s Ethernet IP address using your web browser
    Example: http://192.168.254.254/tools/editor.html
    2. Click on the “minsec.txt” link on the left side of the screen.
    You can now edit the contents of the file in the editor window.
    3. Put a “#” sign in front of any lines that you want to disable.
    # remote ipfilter append input drop -p tcp -tcp syn internet
    This will remove the filter rule the next time that the minimum firewall
    setting is chosen from the firewall settings page.
    4. Locate the command: “remote ipfilter watch on internet” and place
    a “#” in front of it. This will cause the logging feature to be disabled
    the next time that the minimum firewall setting is chosen from the
    firewall settings page.
    5. Be sure to click on the “Save” button when you are done with your
    edits.
    6. Repeat the above steps for all three default filter files:
    - minsec.txt
    - medsec.txt
    - maxsec.txt