[22198] in bugtraq
Re: ZyXEL Prestige 642R: Exposed Admin Services on WAN with Default Password
daemon@ATHENA.MIT.EDU (Daniel Roethlisberger)
Fri Aug 10 20:34:18 2001
Date: Fri, 10 Aug 2001 21:48:56 +0200
From: Daniel Roethlisberger <daniel@roe.ch>
Message-ID: <138031656.20010810214856@roe.ch>
To: bugtraq@securityfocus.com
In-Reply-To: <200108101355.BAA232471@ruru.cs.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
It seems that some of the statements made in my original posting
were not fully accurate.
First off, I've been told that P642R's used over PPPoE -are-
vulnerable, unless SUA is disabled too. I have no means to verify
this, so I am unsure whether this is the end of the story.
Second, I stated that setting up SUA Server rules does not work.
This is plain wrong, it -does-, yet for some reason my initial
attempt to do so failed. It seems that SUA Server rules take
precedence over the local admin services after all. One possible
workaround for the exposed ports is in fact to set up SUA Server
rules for ports 21 and 23 which point to a non-existant IP
address. This is in fact an easier solution than correcting and
applying the filter rules (see below), if not the most clean.
Thanks to all those who pointed these details out to me.
Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
> It works, but portions of the filter setup process are severely
> underdocumented. You need to be very careful about chaining
> rules together, so that the filter sets have to end with a
> "Check next rule" action for everthing but the last filter set.
> If you end with a Drop/Forward action, the filter does exactly
> that without checking further rules.
You are indeed right. The preconfigured rules TELNET_WAN and
FTP_WAN both have match action Drop and non-match action Forward
in factory defaults. Which means chaining them together within a
filter list will fail. Which in turn means that ZyXEL did not only
choose to not apply the filters, but also set them up in such a
way that they need to be modified in order to apply them both
successfully. Thanks for pointing this out.
Cheers,
Dan
--
Daniel Roethlisberger <daniel@roe.ch>
PGP Key ID 0x8DE543ED with fingerprint
6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED
