3Com SuperStack II detected as router... or not.

• Previous message: SPI Labs: "LDAP Injection White Paper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Jul 2003 14:48:59 +0200
To: pen-test@securityfocus.com

Greetings!

Scanning our network with a router detection software, we detected that
requests routed via the management IP address of the hub seemed to be
routed onward. If the embedded management really did routing, this could
be abused to circumvent network separation schemes (e.g. separate
management and user networks).

The system in question is

        3Com SuperStack-II Dual Speed Hub 500
                Hardware 01.01.01
                Software 1.11
                Boot PROM 0.04

"Newer" releases (2.10 and up, which are some years old by themselves)
do not show this behaviour. Firmware updates are (as always) available
for free from 3Com.

Further testing showed that the old hub firmware does NOT route at all.
It just (falsely) answers all ICMP echo-request packets sent to its
hardware (MAC) address regardless the destination IP address.

As most router-detection schemes simply use Ping (ICMP) to test for
routing function you'll get a False Positive from hubs equipped with the
old firmware. So re-checking those alerts with a manual test with a real
TCP connections (e.g. manual HTTP request) is (as always) highly
recommended.

Solutions:
        - install current firmware to the hub(s)
        - double-check router-detection alerts

So no, 3Com SuperStack II hubs with old/ancient firmware do not do
routing, even if your router detector told you otherwise...

Bye

Volker Tanger

PS: Adventurous hackers could try to abuse this and fake a system
    "alive" to an ICMP-only NMS station. But as you need an on-line
    ARP-spoofing station for such a treat anyway, this is more an
    academic possibility.

-- 
ITK-Security
discon gmbh
DeTeWe AG & Co. KG
Fon +49 30 6104-3307
Fax +49 30 6104-3435
http://www.detewe.de/

• application/pgp-signature attachment: stored

• Previous message: SPI Labs: "LDAP Injection White Paper"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Backup to USB works but to NAS fails ... On windows it's a setting in the network card settings and usually ... On a HUB ALL data is transmitted to ALL ports. ... cards are 'paralel tasking' and perform the MAC inspection at the card. ... One switch is not the same as the next.. ... (microsoft.public.windows.server.sbs) Re: Backup to USB works but to NAS fails ... On windows it's a setting in the network card settings and usually ... On a HUB ALL data is transmitted to ALL ports. ... Getting this up to 100Mb/s lan speed (either back-to-back or upgrade ... One switch is not the same as the next.. ... (microsoft.public.windows.server.sbs) smallest possible network, was Re: VOIP with a linksys PAP2 ... > ethernet port) and the VOIP device both into the hub. ... Insert the other of the RJ-45 cable to a network hub, switch, ... Connect the power adapter plug to the WL-330g DC-IN socket. ... Connect the network hub, switch, or router power adapter plug to ... (Fedora) Re: use ipchains to block all ports > 60,000 ... Now what version of ssh is ... Put the suggested hub between the box and the internet, ... >> By temporarily breaking the network connection and inserting a hub ... evidence of users you know not of appearing on ... (comp.os.linux.security) Re: Can not connect or get network DCHP DNS IP on 1 computer other ... and then the HUB uplinks to a DSL router. ... stopped being able to "see" the network Monday morning. ... I can access the internet via dial up and it works fine. ... Even tried the supplied drivers with the new card vs. the ... (microsoft.public.windowsxp.network_web)