COMMAND
ascend
SYSTEMS AFFECTED
MAX4002, MAX4004, MAX4048, and MAX4072 (MAX TNT?)
PROBLEM
Joe Shaw noticed a problem in Ascends microcode for the Ascend
MAX 4000 that allowed any user to request any IP address they
wanted. This problem surfaced in the 4.x versions of code, works
on 5.0Ap8, and probably works on most of the versions of Ascend
software. It was fixed originally some time ago, but the problem
resurfaced recently. It will work, even if you have such things
as Assign Adrs and Pool only set to yes.
The problem can be duplicated by just making your settings in
windows Dialup Networking say Specify IP Address, and then
setting it to the ip address of a machine on the network you're
connecting to. Once connected, Joe telneted from another machine
to his router, and sure enough, when he did a show ip route
xxx.xxx.xxx.xxx, it showed that it was being broadcast via OSPF
from one of our MAXen, instead of being connected directly to
FDDI0. He assumed he couldn't get out to the network, but in
attempting to telnet out from the dialin box, he got to his core
cisco and the other machines on his network.
The ability to take any IP address means that a dialin user can
take the IP address of a DNS server, a router, anything with an
IP address. In some instances (where proxy mode is enabled on
the MAX) you will be able to still route to some machines, while
not being able to get to others (this depends on the network
setup). Also, it's possible to take the IP address of one
machine by simply dialing up, and while doing so, you could
possibly rcp over a password file or any other file you wanted to
as long as the ip address of the machine is trusted. This makes
any service that works strictly off of authenticatino of IP
address extremely vulnerable. You could take over DNS services,
grab passwords for people checking pop mail, and anything else
you can think of.
SOLUTION
Latest version (5.0Ap13) seems to have fixed the problem. This
can be found at:
ftp.ascend.com