Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Red-Alert Vendors:   Red-M
Red-M Red-Alert Can Be Rebooted By Remote Users
SecurityTracker Alert ID:  1009001
SecurityTracker URL:
CVE Reference:   CVE-2004-2078, CVE-2004-2079, CVE-2004-2080   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Feb 10 2004
Impact:   Denial of service via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Tested on hardware version 2.7.5, software v3.1 build 24
Description:   A vulnerability was reported in Red-M's Red-Alert wireless security/intrusion monitoring system. A remote user can cause the system to reboot, dropping any locally logged events. The system may also fail to correctly identify certain SSID strings.

Bruno Morisson reported that a remote user can connect to the target Red-Alert appliance and supply data that is longer than aproximately 1230 bytes to cause the appliance to reboot.

A demonstration exploit is provided:

$ perl -e 'print "a"x1230 . "\r\n\r\n"| nc <device ip> 80

When the device reboots, any logging information on the device will be lost, the report said.

It is also reported that the device uses IP address authentication. A remote user can connect to the device as an authenticated user if a valid administrator has recently authenticated from the same IP address.

It is also reported that a remote SSID that contains multiple space (0x20) characters will not be properly identified. Multiple space characters are reportedly detected by the device as a single space character.

The following notification timeline is provided:

October 3, 2003 - Vendor notified
January 8, 2004 - New firmware version tested
February 8, 2004 - Advisory released

Impact:   A remote user can cause the device to reboot, dropping any locally stored logging information.

A remote user may be able to gain authenticated access to the device if a valid administrator has authenticated from the same IP address.

The device will not properly identify certain SSID strings.

Solution:   The vendor has released a firmware update, available from Red-M and local partners.
Vendor URL: (Links to External Site)
Cause:   Authentication error, Boundary error, State error

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] Red-M Red-Alert Multiple Vulnerabilities

Red-M Red-Alert Multiple Vulnerabilities
Product:           RedAlert
Versions Affected: Tested with hardware version 2.7.5, software v3.1 build 24
Status:            Fixed by vendor
Vendor URL:
Advisory URL:
Author:            Bruno Morisson <>
   3 October  2003 - Vendor contacted through local partner
   8 January  2004 - New firmware version tested
   8 February 2004 - Advisory released
Copyright notice:
  This advisory, parts of it, or of the information herein
  can be reproduced as long as proper credit is given to the author(s).
Product Description:
  Red-Alert is a wireless (802.11b/Bluetooth) probe that monitors and
  reports on wireless security threats.
  1) Any unauthenticated user can remotely reboot the Red-Alert probe, and
     all locally logged events are lost.
  2) The user authentication is bound to the source IP address
     of the user authenticating, hence any other user behind the same address
     will not be asked for authentication.
  3) The probe will not correctly identify SSID strings that contain multiple
     space (0x20) characters.
  1) Any unauthenticated user can remotely reboot the Red-Alert
     appliance through the webserver.
     When a browser request is longer than aproximately 1230 bytes, the
     appliance simply reboots. Consequently, all information is lost.
     *Anything* sent to the device's tcp port 80 longer than aprox.
     1230 bytes reboots it, whether it's a valid request or not.
     This can be tested, for example, using perl and netcat:
     $ perl -e 'print "a"x1230 . "\r\n\r\n"| nc <device ip> 80
     The device reboots, and all locally logged information is lost.
  2) The authentication of the probe administrator is bound to the user's
     IP address. If multiple users are behind a nat or proxy, any of
     those users can access the gui without restrictions after authentication.
     The authentication does, in fact, expire after a few minutes of
     inactivity, however, since the events popup page auto-refreshes itself
     the session will potentially never expire.
  3) If there are wireless networks detected by the probe with an SSID
     with multiple space (0x20) characters, the probe fails to correctly
     identify them. For example, if a network has the SSID "       ",
     the probe will detect it as " "(single space character). Any sequence
     of multiple space characters in any substring of the SSID are
     represented as one single space character.
  Contact Red-M or your local partner for a firmware update.
  The information in this advisory is provided AS IS, with no
  guarantee that its contents are correct, although the author
  believes them to be so. The author takes no responsability for
  the use or misuse of the information in this advisory or methods
  described. Use at your own responsability.

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC