Bugtraq mailing list archives
Re: ZyXEL Prestige Router Remote Node Filtering Vulnerability still present
From: Daniel Roethlisberger <daniel () roe ch>
Date: Fri, 12 Jul 2002 09:55:37 +0200
Bernardo Pons <master () atlas-iap es> wrote:
bugtraq id 3162: "When more than one remote node filtering rule is applied, the first filtering rule is the only one that takes effect."
Although bugtraq id 3162 reports that ZyXel released a firmware update 2.50(AL.1) to fix this vulnerability for the Prestige 642 routers it seems this bug is still present in new firmware versions.
To the best of my knowledge, BID 3162 is not accurate. I was not even aware of that BID until now. It seems that SecurityFocus staff do not always read BugTraq as thoroughly as they should :-> As Peter Gutmann first pointed out in the discussion about BID 3161 in [1], it is not a flaw in the firmware, but simply a misconfiguration of the filter rules you chain together. The preconfigured rules are _not_ configured to be chained together. This flaw can be considered to consist of both a not too bright default configuration, and a somewhat misleading filtering concept which is underdocumented. But it is not a bug in the firmware.
This configuration has been tested and still has the bug.
Are you definately, positively sure that you did configure the filter rules to chain correctly? Only the last one may allow a packet, all previous filter rules must pass packets on to the next rule (or drop them, of course). If the first rule allows a packet through, the second rule never gets to see the packet.
-- Bernardo Pons
BTW, your sig-dashes seem to be missing the required trailing space. Cheers, Dan [1] http://online.securityfocus.com/archive/1/203313 -- Daniel Roethlisberger <daniel () roe ch>
Current thread:
- ZyXEL Prestige Router Remote Node Filtering Vulnerability still present Bernardo Pons (Jul 11)
- Re: ZyXEL Prestige Router Remote Node Filtering Vulnerability still present Daniel Roethlisberger (Jul 12)