The OpenNET Project

[VU#317417] Denial of Service condition in vxworks ftpd/3com nbx

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 2 Dec 2002 13:04:31 -0500
From: "Michael S. Scheidell" <>
To: BugTraq <>,,
Subject: [VU#317417] Denial of Service condition in vxworks ftpd/3com nbx

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable

Name:  3com NBX IP phone system Denial of Service Attack
Systems: 3com NBX IP Phone Call manager, FW Versions  through 4_1_4
Severity:  Critical
Category: Denial of Service
Classification: Boundary Condition Error
Vendor URL:
Author:   Michael S. Scheidell (
Date:   December 2nd, 2002
Notifications: (3com, WindRiver and CERT) Notified October 31st, 2002
Contact with 3com October 31st, November 1st, 5th, 6th, 15th and =
November 22nd
Contact with WindRiver: October 31st, November  6th, 22nd, and 24th. No =
response from WindRiver.

Discussion: (From 3com's and WindRiver's web site)

3Com=AE SuperStack=AE 3 NBX=AE and 3Com NBX 100 networked telephony =
solutions offer wide-ranging price/performance alternatives to fit your =
business needs today and tomorrow. 3Com=AE SuperStack=AE 3 NBX=AE =
Networked Telephony Solution Delivers robust, full-featured business =
communications for up to 1500 devices (lines/stations) Ensures high =
system availability with the Wind River VxWorks real-time operating =
system (also used in pacemakers and artificial hearts), so server and PC =
downtime does not impact your telephone service.

VxWorks and pSOSystem are the most widely adopted real-time operating =
systems (RTOSs) in the embedded industry -- for good reason. They are =
flexible, scalable, reliable, and available on all popular CPU =
platforms. They are also, by most measures, the fastest RTOSs available =


It was possible to make the remote FTP server crash by issuing this =
command :
        CEL aaaa[...]aaaa where string is 2048 bytes long.  This can be =
done with netcat,
        a windows client by telnetting to the nbx server on port 21 or =
by running the aix_ftpd.nasl test
        in nessus (

The 3com NBX uses VXWORKS Embedded Real time Operating system and what =
appears to be their own internal ftp server. This buffer overflow =
problem seems to be one similar to the AIX ftpd reported in CVE =
1999-0789 and bugtraq id 679.

By sending a specific string of data to the ftp server, an attacker can =
disable not only the ftp server, but the integrated web based =
administrative console and the call manager preventing diagnostics, =
control and all incoming, outgoing or internal calls.  Any calls in =
progress cannot be disconnected, and in the case of long distance calls, =
could result in excessive long distance bills and extended loss of use =
of the phone system.

This condition is not recovered without a Hard reboot (power off/on).  =
Since the 3com nbx is based on an embedded *nix operating system, and =
abrupt power off could cause loss of data, including corruption of voice =
mails in progress or logs.

A company who uses the VoIP features for remote locations, and who has =
the call manager located on the outside of their firewall, or has no =
firewall can have their voice communications disrupted easily.  Even if =
the company has call manager located on internal network, people with =
internal network access can also disrupt communications.

We have tested 3com nbx firmware version 4_0_17 (with ftpd version 5.4) =
and nbx firmware version 4_1_4 (ftpd version 5.4.2) and this bug seems =
to be present in both systems.

Vendor Response:
3com confirmed problem and received a field patch, TSR(296292) from =
vxworks to address the problem.  Neither WindRiver nor 3com has provided =
a test bed or access to a fixed system for us verify fix.  3com will be =
working to integrate this TSR into a future release of the nbx build but =
has no date yet for release. Also, since ftpd is only used for debugging =
and diagnostics, a future firmware will allow the administrator the =
ability to turn off ftpd if not used.

Please contact 3com for further information.

There is no known fix.  If you have information about a fix, please =

There appears to be on way to turn off the build in ftp server in this =
version of the software, no way to do ip address limits via tcp wrapper =
or acls, and if there is a build in firewall, there is no documented way =
to access it.  The only way we know of to prevent a denial of service =
attack on the 3com nbx is to place it behind its own firewall.  If call =
manager is placed on the Internet side of the firewall or in the DMZ, =
care should be taken to prohibit any access to ftp port (tcp port 21) =
This may be impossible on an internal network unless 3com nbx is itself =
placed behind a firewall, or on a separate VLAN or network segment.

Care should be taken in this approach, since some firewalls may =
interfere with the VoIP operations.
(see Firewall limits vex VoIP users = )

This problem was originally found during a routine security audit by =
Michael Scheidell, SECNAP Network Security, using the =
Nessus vulnerabilities scanner,

Additional Information:
A tcpdump/pcap packet of the sploit and ftpd/nbx response can be found =

A copy of this report can be found at =
and at
If you have snort or ISS's trons IDS, a signature to detect this attack =
can be found at

To test your systems for this vulnerability, you can use Nessus at =  Either update your signatures, or download this nessus =
signature: vxworks_ftpd.nasl =

For a report on Security Risk Factors with IP Telephony based Networks =

Also reference article "is VoIP vulnerable"? =

Above Copyright(c) 2002, SECNAP Network Security, LLC.  World rights =

This security report can be copied and redistributed electronically =
provided it is not edited and is quoted in its entirety without written =
consent of SECNAP Network Security, LLC.  Additional information or =
permission may be obtained by contacting SECNAP Network Security at =
561-368-9561 or at

Michael  S. Scheidell
SECNAP Network Security  / 1+561.368.9561, 1131


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

  Закладки на сайте
  Проследить за страницей
Created 1996-2017 by Maxim Chirkov  
Hosting by Ihor