Date: Tue, 11 Aug 1998 20:35:20 -0700
From: Jason Ackley <jason@ACKLEY.NET>
Subject: DoS in Flowpoint 2000 DSL routers

Hello,

Quick Overview:

There exists a DoS in Flowpoint's (A)DSL 2000 router ('fp2k')
running software rev 1.2.3 (anyone have other revs to test?)

Lil Backgrounder:

Flowpoint builds the routers and distributes them through various OEMs and
VARs, one that I know of is Diamond Lane Commuications, so if you have a
DSL router its best to take a peak at it real quick(tm). Basically its not
much bigger than a modem, has six blinky lights on the front.


Vendor Status:

I informed Flowpoint of this problem on Fri May 29, Flowpoint responded on
Mon Jun 1 with a fix and an apology for not responding to me sooner! Quick
Service!

Gory Details:

Like most routers the fp2k will allow you to telnet into it for
monitoring/ testing / admin functions. One problem exists in that the
fp2k does not allow you to (as of firmware 1.4.1) configure a telnet
password, only a system password (sort of like 'enable') to change things.

It also allows you to change the telnet port that it listens on , but that
seems a little too much 'security through obscurity' for me.

Once you telnet into the fp2k you are presented with something like:

FlowPoint/2000 ADSL Router v1.2.3 Ready
>

Once you 'are in' , you can do a few basic things, in order to edit
things, you can use the 'login' command followed by the password, such as:

> login foobar
Logged in successfully!
#

The problem happens when you do something like:

>login <alot of crap here, serveral kilobytes worth or so>

At this point, you will not get the prompt back (if you did it right :) ),
and on the serial console , you may get something like:

TCP: trim 13 bytes from the front!

With the 13 ranging from 1 as high as 976 from my few tests..

There is obviously some problems in the way it handles its buffers..

The mem command reports %99 of the small buffers in use:

>mem
 Small buffers used....... 254 (99% of 256 used)
Large buffers used.......  52 (20% of 256 used)

If you close the telnet connection and try again, you may get something
like this on the console:

NOTIFIER: no mem: TCP: lvl=9: c=0: sc=0: e=0 another incoming connection
ignored for now

SNMP read attempts will get the first few OID objects, then start errors
on the serial port of:
SNMPD: TX: err: allocate packet buffer!
SNMPD: TX: err: allocate packet buffer!

At this point, serial communications gets interrupted (it must be waiting
on a small buffer to get freed up) As typing commands will not do
anything, you have to type them a few times (and hopefully get the buffer
before something else does)

A ps reveals that my old telnet is still active:

> TID:          NAME               FL P BOTTOM CURRENT SIZE
  1:IDLE                         02 7 12f9f0  130100 2032
 18:TN [170.1.68.2:4658]         03 6 130220  131070 4080
  3:MSFS_SYNC                    03 6 1314a0  131ba0 2032
  4:SYSTEM LOGGER                03 5 131cd0  1323d0 2032
  5:LL_PPP                       03 5 135620  135d20 2032
  6:NL_IP                        03 5 135f10  136208 1000
  7:TL_IP_UDP                    03 3 136390  136690 1000
  8:TL_IP_TCP                    03 3 1367f0  136ef8 2032
  9:IP_RIP                       03 4 137050  137348 1000
 10:TELNETD                      03 5 137480  137760 1000
 11:BOOTP                        03 5 13a590  13a878 1000
 12:DUM                          03 5 13ad10  13b410 2032
 13:ADSL                         03 1 13b560  13bc28 2032
 14:SNMPD                        03 5 133b40  134a48 4080
 15:CMD                          01 6 13c0c0  13cf10 4080
>

I then started some heavy internet traffic, of a ftp session and surfing
the web a bit. After which the serial port becomes frozen, but it
still displays the NOTIFER message and SNMPD error messages when you try
to do something. I did not do too many bandwidth tests as I was in the
mood to get it fixed more than anything else..

After a power cycle, the box is back to itself again.

Fix: If your box becomes like this, you can powercycle it and it is back
     to normal.  As I mentioned , Flowpoint provided a fix the next
     business  day, so you should upgrade your firmware, v1.4.1 is the
     'fixed' version they gave me, v1.4.3 is the latest AFAIK. Contact
     Flowpoint or the OEM label that yours has stamped on it for more
     infoormation regarding upgrading firmware.


Scripts for the kids? Nope. Roll your own.


Sorta remind me of the Cisco 760 problem a while back.

cheers,

-----
Jason "jBot" Ackley