|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Przemyslaw Frasunek (venglin
freebsd.lublin.pl)Date: Tue Dec 18 2001 - 12:11:48 CST
On Friday 14 December 2001 12:08, Przemyslaw Frasunek wrote:
> The workaround is to switch off routing and put device in bridging mode.
> Zyxel support has been notified, I won't release details of attack, until
> ZyNOS will be patched.
I haven't received any response from Zyxel helpdesk so time to publish the
details.
[*] First vulnerability
P681/1600 SDSL module restarts when it receives IP packets with ip_len < real
packet size. Resynchronizing of SDSL takes about 2-3 minutes.
How to repeat: [1]
# iptest -d fxp0 -1 -p 6 -g x.x.x.x y.y.y.y
[*] Second vulnerability
P681 (not tested on P1600) device crashes when it receives fragmented packet
which is longer than 64k after reassembly. This is an old attack known as
ping of death.
How to repeat: [1]
# iptest -d fxp0 -1 -p 8 -g x.x.x.x y.y.y.y
[*] Details
Both crashes can be triggered only when IP packet is targeted to Zyxel router
and comes from SDSL WAN interface. Device won't crash if it works in bridging
mode or packet is only forwarded, not processed.
[*] Workaround
Put device in bridging mode or filter ALL incoming traffic. Packet filters in
ZyNOS *WILL NOT* prevent from attack, traffic must be blocked before it
reaches P681/P1600 device.
I haven't got access to serial console of P681. Can someone send me an output
after second attack? Probably ZyNOS crashes with some kind of page fault.
[1] Iptest application comes from ipfilter package by Darren Reed.
-- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]