Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Knud Erik Højgaard (knudcybercity.dk)
Date: Tue Mar 12 2002 - 10:17:16 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    No answer/bounce, so I'm trying a repost here..


    Denial of Service in ZyXEL ZyWALL10 - http://www.zyxel.com/product/security/zywall10.htm

    [vendor status]
    About half a year ago I found a 'funny' DoS condition in the ZyWALL10. ZyXEL was informed, and they at least confirmed the bug, but i believe that's all i heard. According to www.zyxel.com a new firmware for the ZyWALL10 was released 2002/01/10 - i wrote an email to a ZyXEL employee, and the bug is fixed in this version.

    The DoS is simple, using nemesis-arp (from The NEMESIS Project) or a similar tool (like arp-fun) it's possible to make the firewall drop its LAN connection.

    If you send an arp packet containing some bogus/random MAC address and the firewalls ip to the firewalls lan interface the firewall will 'down' the lan interface and never 'up' it again. The firewall needs a powercycle to restore function, but thats not all. The firewall never 'reopens' the lan interface, so you need to connect via a console cable, go to the lan setup menu, and press enter a few times to 'confirm' the settings to get it back in working order. Sort of a pain in the rear if the firewall is behind a locked door..

    nemesis-arp -S -D -h de:ad:ba:be:f0:0d -d ed1

    (in this case the firewall's IP is and the ethernet adapter is ed1)

    Manzon, Merkinball, SiGNOUT, evilpoo, ewadoh, |ole|, zaarnik, ZyXEL.

    From me me me, Knud Erik Højgaard.