Re: Zyxel Prestige 681 and 1600 (possibly other?) remote DoS

From: Przemyslaw Frasunek (venglin@freebsd.lublin.pl)
Date: 12/18/01 

From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
To: bugtraq@securityfocus.com
Date: Tue, 18 Dec 2001 19:11:48 +0100

On Friday 14 December 2001 12:08, Przemyslaw Frasunek wrote:
> The workaround is to switch off routing and put device in bridging mode.
> Zyxel support has been notified, I won't release details of attack, until
> ZyNOS will be patched.

I haven't received any response from Zyxel helpdesk so time to publish the
details.

[*] First vulnerability

P681/1600 SDSL module restarts when it receives IP packets with ip_len < real
packet size. Resynchronizing of SDSL takes about 2-3 minutes.

How to repeat: [1]

# iptest -d fxp0 -1 -p 6 -g x.x.x.x y.y.y.y

[*] Second vulnerability

P681 (not tested on P1600) device crashes when it receives fragmented packet
which is longer than 64k after reassembly. This is an old attack known as
ping of death.

How to repeat: [1]

# iptest -d fxp0 -1 -p 8 -g x.x.x.x y.y.y.y

[*] Details

Both crashes can be triggered only when IP packet is targeted to Zyxel router
and comes from SDSL WAN interface. Device won't crash if it works in bridging
mode or packet is only forwarded, not processed.

[*] Workaround

Put device in bridging mode or filter ALL incoming traffic. Packet filters in
ZyNOS *WILL NOT* prevent from attack, traffic must be blocked before it
reaches P681/P1600 device.

I haven't got access to serial console of P681. Can someone send me an output
after second attack? Probably ZyNOS crashes with some kind of page fault.

[1] Iptest application comes from ipfilter package by Darren Reed. 

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *

Relevant Pages