On Friday 14 December 2001 12:08, Przemyslaw Frasunek wrote: > The workaround is to switch off routing and put device in bridging mode. > Zyxel support has been notified, I won't release details of attack, until > ZyNOS will be patched. I haven't received any response from Zyxel helpdesk so time to publish the details. [*] First vulnerability P681/1600 SDSL module restarts when it receives IP packets with ip_len < real packet size. Resynchronizing of SDSL takes about 2-3 minutes. How to repeat: [1] # iptest -d fxp0 -1 -p 6 -g x.x.x.x y.y.y.y [*] Second vulnerability P681 (not tested on P1600) device crashes when it receives fragmented packet which is longer than 64k after reassembly. This is an old attack known as ping of death. How to repeat: [1] # iptest -d fxp0 -1 -p 8 -g x.x.x.x y.y.y.y [*] Details Both crashes can be triggered only when IP packet is targeted to Zyxel router and comes from SDSL WAN interface. Device won't crash if it works in bridging mode or packet is only forwarded, not processed. [*] Workaround Put device in bridging mode or filter ALL incoming traffic. Packet filters in ZyNOS *WILL NOT* prevent from attack, traffic must be blocked before it reaches P681/P1600 device. I haven't got access to serial console of P681. Can someone send me an output after second attack? Probably ZyNOS crashes with some kind of page fault. [1] Iptest application comes from ipfilter package by Darren Reed. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
