COMMAND
Easycom/Safecom 10/100
SYSTEMS AFFECTED
Easycom/Safecom firmware 404.590 (most likely older firmware revisions as well)
PROBLEM
Peter Grundl (Defcom Labs Advisory def-2001-06) found following.
The Easycom/Safecom print server from I-Data International
contains multiple vulnerabilites that allow a malicious user to
bring down the print server. Execution of arbitrary code is also
possible.
The print server has a web service running on port 80 and on port
631. Both are vulnerable to a long URL request. The long URL
results in a buffer overflow on the server. The effect can either
be that the unit crashes or execution of arbitrary code on the
server.
The PrintGuide service on port 5742 will cease to respond, if you
send two bursts (80 connects in each burst) of null characters to
the port.
The FTP service on TCP port 21 is vulnerable to data flooding.
The flooding results in the unit being disconnected from the
network.
The web services on port 80 and port 631 are both vulnerable to
long HTTP requests. An infinite HTTP request will result in the
unit being disconnected from the network. This is done by eg.
issuing a normal GET request and filling A's into an HTTP header
field, like "host:".
The TCP/IP implementation on the Easycom/Safecom unit is
vulnerable to flooding. Sending large burst of "normal" network
packets to the unit at eg. 10 mbit will result in the unit being
disconnected from the network.
SOLUTION
No vendor supplied workaround known. You could put your unit
behind a filtering router, and make sure the ports aren't
accessible from the network (except from the managing console, of
course).
This issue was brought to the vendor's attention on the 30th of
November, 2000. Vendor promises to look into it, but has not yet
come up with any indication on when a fix would be available.