webramp.DoS.txt

`Date: Wed, 31 Mar 1999 15:28:22 -0500 (EST)  
From: X-Force <[email protected]>  
To: [email protected]  
Cc: X-Force <[email protected]>  
Subject: ISSalert: ISS Security Advisory -- WebRamp Denial of Service Attacks  
  
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to  
[email protected] Contact [email protected] for help with any problems!  
---------------------------------------------------------------------------  
  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
ISS Security Advisory -- WebRamp Denial of Service Attacks  
March 31, 1999  
  
Synopsis:  
  
Ramp Networks (http://www.rampnet.com/) WebRamp Internet access devices  
allow multiple computers to share a dialup connection. The WebRamp family  
of Internet access devices are designed for small businesses that require  
cost-effective, high-speed Internet access on every desktop.  
  
WebRamp is vulnerable to two denial of service attacks that allow an  
attacker to either crash the WebRamp device or change its IP address.  
When the device crashes, it will have to be manually reset before  
it will dial up. If an attacker changes the IP address of the WebRamp,  
none of the machines on your network will be able to find it, so no  
machines will be able to access the Internet via the WebRamp. The device  
will still function as a network hub, so your intra-LAN connectivity will  
not be disrupted.  
  
  
Description:  
  
WebRamp crash/denial of service attack: Sending a specially formatted string  
of characters to the HTTP port of the WebRamp causes the device to hang,  
requiring a manual reset.  
  
WebRamp IP address change: Sending a specially-formatted UDP packet to port  
5353 changes the WebRamp's local IP address, effectively 'hiding' the  
device from the rest of your machines. The WebRamp is still connected to  
the Internet and its PPP IP address is unchanged.  
  
Recommendations:  
  
If an attacker has crashed your WebRamp, then manually reset it by turning  
it off and on again.  
  
If an attacker has changed the IP address, use WRFINDER.EXE on the WebRamp  
installation CD to change the address to a proper value.  
  
  
Fix Information:  
  
Go to http://www.rampnet.com/upgrades to get the latest firmware for your  
model of WebRamp.  
  
  
Additional Information:  
  
Information in this advisory was obtained by the research of Jon Larimer  
<[email protected]> of the ISS X-Force. ISS X-Force would like to thank  
Ramp Networks <http://www.rampnet.com> for their assistance with testing  
on WebRamp devices and providing fix information.  
  
________  
  
Copyright (c) 1999 by Internet Security Systems, Inc.  
  
Permission is hereby granted for the electronic redistribution of this  
Security Advisory. It is not to be edited in any way without express  
consent of the X-Force. If you wish to reprint the whole or any part of  
this Security Advisory in any other medium excluding electronic medium,  
please e-mail [email protected] for permission.  
  
Internet Security Systems, Inc. (ISS) is the leading provider of adaptive  
network security monitoring, detection, and response software that  
protects the security and integrity of enterprise information systems. By  
dynamically detecting and responding to security vulnerabilities and  
threats inherent in open systems, ISS's SAFEsuite family of products  
provide protection across the enterprise, including the Internet,  
extranets, and internal networks, from attacks, misuse, and security  
policy violations. ISS has delivered its adaptive network security  
solutions to organizations worldwide, including firms in the Global 2000,  
nine of the ten largest U.S. commercial banks, and over 35 governmental  
agencies. For more information, call ISS at 678-443-6000 or 800-776-2362  
or visit the ISS Web site at http://www.iss.net.  
  
Disclaimer  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO warranties with regard to this information. In no event shall the  
author be liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information. Any use of this  
information is at the user's own risk.  
  
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as  
well as on MIT's PGP key server and PGP.com's key server.  
  
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce  
  
Please send suggestions, updates, and comments to:  
X-Force <[email protected]> of Internet Security Systems, Inc.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.3a  
Charset: noconv  
  
iQCVAwUBNwEjQTRfJiV99eG9AQHS2AQAilU+R2J0pU2DMi+0CBMjl1zwIPob990s  
n4ECDLLimt66TLeZW3fBxstHOzWUJ1YRPm/Ahb0oeyDqx54Cv4LA3uZttq5mZ2+d  
d84nPbznpzC6Q/9eqVX8tNF0cp2TNc2eIqkwV4I1ZZ68JMkepmglT73mPqpzWJL8  
fIT8UGYykDs=  
=4bwl  
-----END PGP SIGNATURE-----  
  
`