Re: PacketShaper

From: Stephen Bernard (sbernard@gmu.edu)
Date: Tue May 04 2004 - 14:35:13 EDT


GRUPOHEMAC.- juan davila wrote:

> Upgrade the software to version 6 and configure only access on interfaces
> inbound for management .
>
> Hemac Teleinformatica
> Ing. Juan Carlos Davila Ortiz
> Ingenieria
> Chapultepec # 710 Col. Moderna
> 3616-3824 Guadalajara, Jal.
> jdavila@grupohemac.com.mx
>
>
> ---------- Original Message -----------
> From: "Brewis, Mark" <mark.brewis@eds.com>
> To: "'Filipe A.'" <incognito@patria.ath.cx>, pen-test@securityfocus.com
> Sent: Mon, 3 May 2004 20:56:11 +0100
> Subject: RE: PacketShaper
>
>
>>Filipe,
>>
>>I had a look at one of these about three years ago; I sent out a similar
>>request and didn't get anything back. I didn't find anything in its
>>deployed state, although you appear to have more ports available
>>than I remember seeing. What is it using echo for?
>>
>>Obviously, a lot of things have moved on in that time with regard to
>>application testing. Can you get anything out of the webserver at
>>all? Is it an apache, tomcat or lynx derivative, or is it
>>proprietary? If you haven't already, try using attacks against
>>those as a starting place if it is proprietary, and then fuzz on
>>those. It may be one of those things that you feel ought to break,
>> but never does.
>>
>>No idea about the algorithm, I'm afraid.
>>
>>Good luck,
>>
>>Mark
>>
>>Mark Brewis
>>
>>Security Consultant
>>EDS
>>UK Information Assurance Group
>>Wavendon Tower
>>Milton Keynes
>>Buckinghamshire
>>MK17 8LX.
>>
>>Tel: +44 (0)1908 28 4013
>>Mbl: +44 (0)7989 291 648
>>Fax: +44 (0)1908 28 4393
>>E@: mark.brewis@eds.com
>>
>>This email is confidential and intended solely for the use of the
>>individual(s) to whom it is addressed. Any views or opinions
>>presented are solely those of the author. If you are not the
>>intended recipient, be advised that you have received this email in
>>error and that any use, dissemination, forwarding, printing, or
>>copying of this mail is strictly prohibited.
>>
>>Precautions have been taken to minimise the risk of transmitting software
>>viruses, but you must carry out your own virus checks on any
>>attachment to this message. No liability can be accepted for any
>>loss or damage caused by software viruses.
>>
>>
>>
>>>>-----Original Message-----
>>>>From: Filipe A. [mailto:incognito@patria.ath.cx]
>>>>Sent: 28 April 2004 10:48
>>>>To: pen-test@securityfocus.com
>>>>Subject: PacketShaper
>>>>
>>>>
>>>>
>>>> Hello. I'm in the middle of a pentest. On my client's network sits
>>>>a PacketShaper (v5.3.0) from Packeteer [1]. This seems to be a
>>>>commom device for traffic shaping yet I can't find any published
>>>>vulnerabilities for it. Open ports are 7, 21, 23 and 80. Both web and
>>>>telnet interfaces require only a password for authentication, no
>>>>username needed. Default pwds were no good. I can code a brute
>>>>forcer but was wondering if anyone here has audited one of these boxes
>>>>and can share some info.
>>>>SNMP read community is also available but I don't find any sensitive
>>>>information there, apart from traffic statistics. One last
>>>>fact, I found
>>>>this quote in Packeteer's site regarding password recovery:
>>>>"[...] contact Customer Support. After you provide them with
>>>>your serial
>>>>number, they will generate a default password you can use to
>>>>access your
>>>>unit via the command-line or browser interface." If I understand
>>>>correctly there's an algorithm somewhere that will generate a default
>>>>pwd for each box according to it's serial number. Any ideas? (social
>>>>engeneering is out of scope for this audit)
>>>>
>>>>Thanks in advance.
>>>>
>>>>
>>>>[1]
>>>>http://www.packeteer.com/prod-sol/products/packetshaper_topologies.cfm
>>>>
>>>>
>>>>
>>>>
>>>>--------------------------------------------------------------
>>>>----------------
>>>>Ethical Hacking at the InfoSec Institute. Mention this ad and
>>>>get $545 off
>>>>any course! All of our class sizes are guaranteed to be 10
>>>>students or less
>>>>to facilitate one-on-one interaction with one of our expert
>>>>instructors.
>>>>Attend a course taught by an expert instructor with years of
>>>>in-the-field
>>>>pen testing experience in our state of the art hacking lab.
>>>>Master the skills
>>>>of an Ethical Hacker to better assess the security of your
>>>>organization.
>>>>Visit us at:
>>>>http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>>>>--------------------------------------------------------------
>>>>-----------------
>>>>
>>
>>---------------------------------------------------------------------------
>
> ---
>
>>Ethical Hacking at the InfoSec Institute. Mention this ad and get
>>$545 off any course! All of our class sizes are guaranteed to be 10
>>students or less to facilitate one-on-one interaction with one of
>>our expert instructors. Attend a course taught by an expert
>>instructor with years of in-the-field pen testing experience in our
>>state of the art hacking lab. Master the skills of an Ethical Hacker
>>to better assess the security of your organization. Visit us at:
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
>>---------------------------------------------------------------------------
>
> ----
> ------- End of Original Message -------
>
>
> ------------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> -------------------------------------------------------------------------------
>
>

I have managed PacketShapers for several years. The boxes run a modified
FreeBSD codebase and act as transparent bridges, with the exception of
the management interface. There have been a several vulnerabilities
resulting from issues with OpenSSH, OpenSSL, Apache, etc. but nothing
that I would blame on Packeteer. Depending on how the box is configured
and implemented, it is possible to circumvent some of its control
capabilities, and also to DoS the box. If you could root the box there
are obviously a lot of "fun" things that could be done to the traffic
passing through it. Crashing the box could be fruitful/interesting as
they fail open, but obviously without any bandwidth/traffic controls
running. This is also the case if power to the device is disrupted.

Steve

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:53 EDT