COMMAND
Flowpoint 2000 DSL routers
SYSTEMS AFFECTED
Flowpoint 2000 DSL routers
PROBLEM
Jason Ackley found following. There exists a DoS in Flowpoint's
(A)DSL 2000 router ('fp2k') running software rev 1.2.3 (anyone
have other revs to test?). Flowpoint builds the routers and
distributes them through various OEMs and VARs, one that we know
of is Diamond Lane Commuications, so if you have a DSL router its
best to take a peak at it real quick(tm). Basically its not much
bigger than a modem, has six blinky lights on the front.
Like most routers the fp2k will allow you to telnet into it for
monitoring/ testing / admin functions. One problem exists in that
the fp2k does not allow you to (as of firmware 1.4.1) configure a
telnet password, only a system password (sort of like 'enable') to
change things. It also allows you to change the telnet port that
it listens on , but that seems a little too much 'security through
obscurity'. Once you telnet into the fp2k you are presented with
something like:
FlowPoint/2000 ADSL Router v1.2.3 Ready
>
Once you 'are in' , you can do a few basic things, in order to
edit things, you can use the 'login' command followed by the
password, such as:
> login foobar
Logged in successfully!
#
The problem happens when you do something like:
>login <alot of crap here, serveral kilobytes worth or so>
At this point, you will not get the prompt back (if you did it
right) and on the serial console, you may get something like:
TCP: trim 13 bytes from the front!
With the 13 ranging from 1 as high as 976 from few tests.. There
is obviously some problems in the way it handles its buffers..
The mem command reports %99 of the small buffers in use:
>mem
Small buffers used....... 254 (99% of 256 used)
Large buffers used....... 52 (20% of 256 used)
If you close the telnet connection and try again, you may get
something like this on the console:
NOTIFIER: no mem: TCP: lvl=9: c=0: sc=0: e=0 another incoming connection
ignored for now
SNMP read attempts will get the first few OID objects, then start errors
on the serial port of:
SNMPD: TX: err: allocate packet buffer!
SNMPD: TX: err: allocate packet buffer!
At this point, serial communications gets interrupted (it must be
waiting on a small buffer to get freed up) As typing commands will
not do anything, you have to type them a few times (and hopefully
get the buffer before something else does). A ps reveals that my
old telnet is still active:
> TID: NAME FL P BOTTOM CURRENT SIZE
1:IDLE 02 7 12f9f0 130100 2032
18:TN [170.1.68.2:4658] 03 6 130220 131070 4080
3:MSFS_SYNC 03 6 1314a0 131ba0 2032
4:SYSTEM LOGGER 03 5 131cd0 1323d0 2032
5:LL_PPP 03 5 135620 135d20 2032
6:NL_IP 03 5 135f10 136208 1000
7:TL_IP_UDP 03 3 136390 136690 1000
8:TL_IP_TCP 03 3 1367f0 136ef8 2032
9:IP_RIP 03 4 137050 137348 1000
10:TELNETD 03 5 137480 137760 1000
11:BOOTP 03 5 13a590 13a878 1000
12:DUM 03 5 13ad10 13b410 2032
13:ADSL 03 1 13b560 13bc28 2032
14:SNMPD 03 5 133b40 134a48 4080
15:CMD 01 6 13c0c0 13cf10 4080
>
With some heavy internet traffic started, of a ftp session and
surfing the web a bit the serial port becomes frozen, but it still
displays the NOTIFER message and SNMPD error messages when you try
to do something. After a power cycle, the box is back to itself
again.
Chris added another an overlooked network hazard. If you recently
had a DSL Line installed, or just got yourself a FlowPoint 2000
DSL Router, then chances are, it hasn't been properly setup
regarding admin password.
SOLUTION
If your box becomes like this, you can powercycle it and it is
back to normal. Flowpoint provided a fix so you should upgrade
your firmware, v1.4.1 is the 'fixed' version they gave, v1.4.3.
Contact Flowpoint or the OEM label that yours has stamped on
it for more infoormation regarding upgrading firmware.
You should log on to your router and resetting your password since
the default is 'admin', If you don't you run the risk of your
connection being dropped or some other malicious things, If you
don't know how to change your password simply, login, type
'system admin <your password>' and that should take care of that..