Bugtraq mailing list archives
Re: Zyxel Prestige 681 and 1600 (possibly other?) remote DoS
From: Przemyslaw Frasunek <venglin () freebsd lublin pl>
Date: Tue, 18 Dec 2001 19:11:48 +0100
On Friday 14 December 2001 12:08, Przemyslaw Frasunek wrote:
The workaround is to switch off routing and put device in bridging mode. Zyxel support has been notified, I won't release details of attack, until ZyNOS will be patched.
I haven't received any response from Zyxel helpdesk so time to publish the details. [*] First vulnerability P681/1600 SDSL module restarts when it receives IP packets with ip_len < real packet size. Resynchronizing of SDSL takes about 2-3 minutes. How to repeat: [1] # iptest -d fxp0 -1 -p 6 -g x.x.x.x y.y.y.y [*] Second vulnerability P681 (not tested on P1600) device crashes when it receives fragmented packet which is longer than 64k after reassembly. This is an old attack known as ping of death. How to repeat: [1] # iptest -d fxp0 -1 -p 8 -g x.x.x.x y.y.y.y [*] Details Both crashes can be triggered only when IP packet is targeted to Zyxel router and comes from SDSL WAN interface. Device won't crash if it works in bridging mode or packet is only forwarded, not processed. [*] Workaround Put device in bridging mode or filter ALL incoming traffic. Packet filters in ZyNOS *WILL NOT* prevent from attack, traffic must be blocked before it reaches P681/P1600 device. I haven't got access to serial console of P681. Can someone send me an output after second attack? Probably ZyNOS crashes with some kind of page fault. [1] Iptest application comes from ipfilter package by Darren Reed. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *
Current thread:
- Zyxel Prestige 681 and 1600 (possibly other?) remote DoS Przemyslaw Frasunek (Dec 14)
- Re: Zyxel Prestige 681 and 1600 (possibly other?) remote DoS Przemyslaw Frasunek (Dec 18)
- Re: IIS 5.0 Content Length DOS vulnerability Eric Maiwald (Dec 18)
- Re: Zyxel Prestige 681 and 1600 (possibly other?) remote DoS Przemyslaw Frasunek (Dec 18)