Phenoelit Advisory [ Authors ] FX kim0 Phenoelit Group (http://www.phenoelit.de) Advisory http://www.phenoelit.de/stuff/Lucent_Ascend.txt [ Affected Products ] Lucent Pipline, MAX, DSL-Terminator. (Formerly known under Ascend Router product line) Not vulnerable: MAX TNT Lucent Bug ID: Not assigned [ Vendor communication ] 06/28/02 Reply to inquiry regarding "who to notify" 06/29/02 Initial Notification *Note-Initial notification by phenoelit includes a cc to cert@cert.org by default 06/29/02 Human response ack. the receipt. 07/06/02 Weekly Follow-up by central POC at Lucent (Right on Time!) 07/08/02 Additional tec-discussions 07/19/02 Notification of intent to post publically in apx. 7 days. [ Overview ] The product line formerly known under the name of "Ascend" running the TAOS Operating System provides an easy to use and support interface. This interface includes an undocumented protocol that provides an easy method to identify and query the devices. (similar to the Cisco CDP problem but remote). [ Description ] When sending a crafted UDP packet to the devices UDP discard port (9), the device will answer with a packet containing valuable information such as the host's name, MAC, IP address of the Ethernet Interface, Serial number, device type and installed features. By sending a packet with the SNMP WRITE community, a remote attacker can change the devices IP address, netmask or name. [ Example ] linux# irpas/dfkaa 192.168.1.11 DFKAA - Devices Formerly Known As Ascend FX - http://www.phenoelit.de/ $Revision: 1.22 $ - IRPAS Build XL (c) 2001++ >>ascend<< [Probe response] ADP version: 2 *MAC addr: 00:C0:7B:89:DD:86 IP addr: 192.168.1.11/255.255.255.0 *Serial number: 9990826374 Device type: Ascend Pipeline 75 Features: 0004 0030 0140 0000 *Device Serial number number and MAC have been changed. [ Solution ] None known at this time. [ end of file ]