Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
SV: Zyxel / Netgear and probably other routers leaking information.

From: Jens Kalvik (Jens.Kalvikconect.se)
Date: Tue Feb 01 2005 - 01:56:15 CST


I was a bit quick on this, it seems as Zyxels routers latest firmware solves the problem. We made an upgrade from an older firmware to the latest, but forgot to empty the arp cache on the computer, so it looked as the problem was still there. But the problem with Netgear RT311 and RT314 is still there, and they even respond when I ping the LAN side from the WAN side. The firmware used on the Netgear routers are V3.26(CA.0), this firmware was mailed to me by Netgear, but does not solve the problem. To make it easier for you to understand what I mean you can also see it like this:

1. Configure a computer to be able to surf the Internet using the router as protection.
2. Move the computer from LAN side to WAN side of the router without changing IP configuration.

When you ping the LAN side from the WAN side there will still be an answer, so the router is leaking.

-----Ursprungligt meddelande-----
Från: Viktor E Larionov [mailto:viktoresknet.ee]
Skickat: den 31 januari 2005 22:10
Till: Jens Kalvik
Kopia: bugtraqsecurityfocus.com
Ämne: Re: Zyxel / Netgear and probably other routers leaking information.

Hey Jens,
In general Zyxel is not as it used to be. We had a lot of problems with their wlan equipment, not working as it should.

> the result must be that if I send a packet with the same destination
> IP as the routers LAN IP, I will get an ARP reply from the WAN side.
> This can be used to get information about which IP adresses are used
> on the LAN side when you are sitting on the WAN side. It
- Hmmmm sounds quite strange, if you know the lan ip of the router why do you need to know the structure of ips used inside ? They are as well in the same subnet as the routers lan adress.
- Concerning that other issue on pinging from WAN - well i belive that it shouldn't work at all - just because you use different subnets on the client machine and a routers WAN interface, the routers key problem is that as i understand it doesn't make a difference from which port is the packet coming, as far as he has a valid source-ip that is allocated on whatever subnet which is connected to whatever port on the router, then the router will answer him from the ip on the same subnet as the client machine. Well i really belive it's a peculiar behaviour not more than that.

"To beer, or not to beer ?" /*ShakesBeer*/

Mr. Victor E Larionov
system administrator

Esknet Ltd.
Gonsiori 33, 10147, Tallinn

Tel: +372 6010248
Fax: +372 6050293
GSM: +372 53496972
E-mail: viktoresknet.ee