Re: Zyxel Prestige 681 and 1600 (possibly other?) remote DoS

[Przemyslaw Frasunek <venglin () freebsd lublin pl>]

On Friday 14 December 2001 12:08, Przemyslaw Frasunek wrote:
> The workaround is to switch off routing and put device in bridging mode.
> Zyxel support has been notified, I won't release details of attack, until
> ZyNOS will be patched.

I haven't received any response from Zyxel helpdesk so time to publish the 
details.

[*] First vulnerability

P681/1600 SDSL module restarts when it receives IP packets with ip_len < real 
packet size. Resynchronizing of SDSL takes about 2-3 minutes.

How to repeat: [1]

# iptest -d fxp0 -1 -p 6 -g x.x.x.x y.y.y.y

[*] Second vulnerability

P681 (not tested on P1600) device crashes when it receives fragmented packet 
which is longer than 64k after reassembly. This is an old attack known as 
ping of death.

How to repeat: [1]

# iptest -d fxp0 -1 -p 8 -g x.x.x.x y.y.y.y

[*] Details

Both crashes can be triggered only when IP packet is targeted to Zyxel router 
and comes from SDSL WAN interface. Device won't crash if it works in bridging 
mode or packet is only forwarded, not processed.

[*] Workaround

Put device in bridging mode or filter ALL incoming traffic. Packet filters in 
ZyNOS *WILL NOT* prevent from attack, traffic must be blocked before it 
reaches P681/P1600 device.

I haven't got access to serial console of P681. Can someone send me an output 
after second attack? Probably ZyNOS crashes with some kind of page fault.

[1] Iptest application comes from ipfilter package by Darren Reed. 

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *