mailing list archives
ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS
From: Kistler Ueli <iuk () gmx ch>
Date: Mon, 17 Jun 2002 14:59:11 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Name: ZyXEL 642R(-11) AJ.6, other routers based on ZyNOS are also
suspectible to this DoS
Systems Affected: ZyNOS
Severity: Medium Risk
Category: Denial of Service
Vendor URL: www.zyxel.com
Vendor contacted: 1.6.2002
Vendor fix: -
- - -------
ZyXEL Prestige 642R-11 AJ.6 has a problem handling special packets.
It is possible to send a packet that will make unavailable
the router's services (Telnet&FTP, DHCP service not tested).
Network traffic isn't stopped.
Possibly more ZyNOS based routers are vulnerable. Please reply if you
found any other ZyNOS based router vulnerable.
- - -------
A ZyXEL 642R-11 router service can be crashed by sending a packet
with TCP flags ACK and SYN set at the same time.
The service will not be available even through RS-232.
Using a SYN-FIN packet will make inaccessible the service port for a
Affected services on ZyXEL 642R-11 are: TELNET, FTP and DHCP (if
enabled). TELNET and FTP cannot be deactivated.
Bypass packet filter rules:
The IP source can be a spoofed one also. This will allow to "bypass"
a filter that blocks specifc IP's.
As target address you can also use the WAN address in LAN (see
BID3346: http://online.securityfocus.com/bid/3346), if the router's
blocks his local address as target.
The DoS attack works also using the broadcast address of the LAN.
This means that all ZyXEL routers in LAN vulnerable
to this attack can be crashed by sending one single packet.
- - -------
# This is a RafaleX script (Download: www.packx.net)
# Rafale X script
# Action : Make a ZyXEL 642R Prestige Router inaccessible on port 23
%name=ZyXEL telnet service DoS
%category=Denial of service
%description=Crash ZyXEL router telnet service with ACK and SYN flag
// Do the stuff...
!Display=Sending the packet...
!SEND 1 TCP
!Display=ACK/SYN Packet sent! ZyXEL telnet service crashed
- - ---
not yet available (17.6.2002). Vendor was contacted 1.6.2002.
- - ----------
- - - on WAN device block these packets:
- all packets coming from WAN to port 21,23 and 67
(source: 0.0.0.0 -> target: 0.0.0.0, apply on input filter of WAN
- - - on LAN device block these packets, ports 21,23 and 67
- WAN IP of the router as target IP (Why?
- LAN address of the router as target IP
- Broadcast address as target IP.. ;)
eclipse () packx net / iuk () gmx ch
www.packx.net / www.eclipse.fr.fm (IDScenter 1.09 beta 2 is soon
Greets to PacKX Team (RafaleX packet builder for Win2K/XP)
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4
-----END PGP SIGNATURE-----
- ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS Kistler Ueli (Jun 17)