Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4018
HistoryJan 24, 2003 - 12:00 a.m.

5861 IP Filtering issues

2003-01-2400:00:00
vulners.com
11
JSON

Product: Efficient Networks 5861 DSL Router
http://www.efficient.com/ebz/5800.html
Tested version: 5.3.80 (Latest firmware)
Advisory date: 10/01/2003
Severity: Moderate

Details

When using the built in IP filtering to block incoming TCP SYN flags, a
simple port scan to the WAN interface of the router will cause it to lock
up, and eventually restart.

This has been tested on two different 5861 routers, both running the above
firmware version.

Port scanners used were Nmap (Linux) and SuperScan (Windows)

Solution:

There are three possible solutions to this exploit. Any one of these
solutions can be implemented to avoid the exploit:

  1.  Remove the filter rule that specifically drops packets with the

TCP SYN flag set.
2. Turn off console logging of dropped packets.
Note: If you require logging to be on then you must increase the console
baud rate.
3. Increase the console baud rate to 57600.

How to implement the above solutions:
Remove the filter rule that specifically drops packets with the TCP SYN
flag set
This will not alter your security settings since the SYN flag will be
caught by the global drop rule at the end of the script.
· Login to the router using the Console or Telnet.
· Type the command:
remote ipfilter flush 0 input internet (flush zero).
Alternate command:
remote ipfilter delete input drop -p tcp -tcp syn internet
· Type the “save” command
· Type the “reboot” command
Note: If the name of your remote profile is not “Internet”, then
substitute the correct name. To determine what the remote profile name
is, simply type the command “iproutes”, and look in the “gateway” column
for the correct name.
Turn off console logging of dropped packets
Note: This is highly recommended if you are not actively monitoring your
firewall activity.
· Login to the router using the Console or Telnet.
· Type the command:
remote ipfilter watch off internet
· Type the “save” command
· Type the “reboot” command
Increase the console baud rate to 57600.
If you are actively monitoring your firewall, you can leave the above
filters and logging in place, and still avoid the exploit by increasing
the baud rate of the console interface.
Note: Remember that your terminal software setting must match this baud
rate after making this change on the router.
· Access the “boot menu” on the router:

  1.  Cut the end off an old Ethernet cable

  2.  strip the wires back and twist all of the bare wires of the cable

together.
3. Plug the unmodified cable end into the console port on the router.
4. Power cycle the router.
5. Wait about one minute for the router to complete its boot-up.
6. Remove the modified cable end, and connect a standard Ethernet
straight cable to the console port. Connect the other end of the Ethernet
cable to the RJ45 to DB9 adapter provided with your router. Connect the
adapter to the DB9 serial interface on your computer.
7. Open up Hyper-terminal or any other terminal emulator program, and
configure it as follows.
Direct to com1 (or com2, or com3, or com4 depending on which one your
computer recognizes)

  1.  The boot menu looks like this:
  2. Retry start-up
  3. Boot from Flash memory
  4. Boot from network
  5. Boot from specific file
  6. Configure boot system
  7. Set date and time
  8. Set console baud rate
  9. Start extended diagnostics
  10. Reboot

Enter selection: 7
Desired baud rate [9600]: 57600
Do you want the change to 57600 to take effect now ? [Y] y

· Once you have accessed the boot menu:

  • Select option 7
  • Enter the desired baud rate of 57600
  • Indicate Yes for the change to take effect immediately
    · Power cycle the router
    · Your baud rate is not set to 57600, so be sure to re-configure
    your terminal emulator software to the same setting before you try to
    connect again.

Additional Comments:
The default firewall scripts that are contained on the router can be
edited to meet your specific security needs. It is strongly recommended
that you familiarize yourself with the specifics of the level of security
that you have chosen from the Web interface.
To edit the default script files:

  1.  Connect to the router’s Ethernet IP address using your web browser

Example: http://192.168.254.254/tools/editor.html
2. Click on the “minsec.txt” link on the left side of the screen.
You can now edit the contents of the file in the editor window.
3. Put a “#” sign in front of any lines that you want to disable.

remote ipfilter append input drop -p tcp -tcp syn internet

This will remove the filter rule the next time that the minimum firewall
setting is chosen from the firewall settings page.
4. Locate the command: “remote ipfilter watch on internet” and place
a “#” in front of it. This will cause the logging feature to be disabled
the next time that the minimum firewall setting is chosen from the
firewall settings page.
5. Be sure to click on the “Save” button when you are done with your
edits.
6. Repeat the above steps for all three default filter files:

  • minsec.txt
  • medsec.txt
  • maxsec.txt
JSON