[22236] in bugtraq
Fwd: ZyXEL Prestige 642 Router Administration Interface Vulnerability
daemon@ATHENA.MIT.EDU (Daniel Roethlisberger)
Tue Aug 14 13:42:40 2001
Date: Tue, 14 Aug 2001 18:45:32 +0200
From: Daniel Roethlisberger <daniel@roe.ch>
Message-ID: <1212505453.20010814184532@roe.ch>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
It seems that some ZyXEL regional offices have reacted and
reworked the configuration of all P642R firmware releases. Their
fixed firmware is available at ftp://ftp.europe.zyxel.com/ .
Unfortunately, there seems to be a bit of a release managment
problem within ZyXEL; the fixed firmware is some releases older
than the latest firmware available from the Swiss ZyXEL
distributor, Studerus AG, at http://www.zyxel.ch/ .
This also confirms that the firmware that was fixed after Sean
Boran reported this issue to ZyXEL Switzerland in June/July was
only available within Switzerland, and not elsewhere.
Here's the details:
ftp.europe.zyxel.com www.zyxel.ch
R-11 v2.50(AJ.2)r2 09/01/2000 v2.50(AJ.4)C0 07/03/2001
RI-13 v2.50(AL.0)r2 08/08/2000 v2.50(AL.2)b2 05/22/2001
R-61 v2.50(AN.1)r2 02/02/2001 -
The dates are the release dates of the -firmware- as stated in the
release notes, not the last change of the default config rom.
The following is forwarded with the express permission of
Manfred Recla at ZyXEL Austria <mr@zyxel.at>
Cheers,
Dan
BTW: I keep a list of relevant URL's on this issue up to date at
http://www.roe.ch/bugtraq/3161/
[this is a forwarded message]
From: ZyXEL.AT, Manfred Recla <mr@zyxel.at>
To: daniel@roe.ch <daniel@roe.ch>
Date: Tuesday, August 14, 2001, 3:10:55 PM
Subject: Fw: ZyXEL Prestige 642 Router Administration Interface Vulnerability
--- begin of original message ---
----- Original Message -----
From: "ZyXEL.AT, Manfred Recla" <mr@zyxel.at>
To: "Jimmy Jensen" <jj@zyxel.dk>; <fchang@zyxel.com.tw>
Cc: <chfan@zyxel.com.tw>; <mtseng@zyxel.com.tw>; "ZASTECH" <zastech@zyxel.dk>; "FAE @ ZyXEL Europe" <fae@europe.zyxel.com>
Sent: Tuesday, August 14, 2001 3:10 PM
Subject: Re: ZyXEL Prestige 642 Router Administration Interface Vulnerability
ooops,
I found one minor bug in my filter "plug-in" settings in menu 11.5,
if the device filter set #4 (PPPoE) is set, then no normal PPPoA
traffic can work. So I removed that #4 from menu 11.5 now again
and uploaded for all three models P641R11, P642R13 and P642R61
the revision "r2" to our FTP server.
best regards,
Manfred Recla (ZyXEL Austria - Technical Support)
**********************************************************
ZyXEL Communications Services GmbH.
Thaliastrasse 125a/2/2/4
A-1160 Vienna, AUSTRIA
Tel: +43-1-4948677-0, Fax: +43-1-4948678
Hotline: 0810-1-ZyXEL (= 0810-1-99935), Regionaltarif
eMail: support@zyxel.at
**********************************************************
----- Original Message -----
From: "ZyXEL.AT, Manfred Recla" <mr@zyxel.at>
To: "Jimmy Jensen" <jj@zyxel.dk>; <fchang@zyxel.com.tw>
Cc: <chfan@zyxel.com.tw>; <mtseng@zyxel.com.tw>; "ZASTECH" <zastech@zyxel.dk>; "FAE @ ZyXEL Europe" <fae@europe.zyxel.com>
Sent: Tuesday, August 14, 2001 2:15 PM
Subject: Re: ZyXEL Prestige 642 Router Administration Interface Vulnerability
Dear all,
I reworked the default config files for the routers and uploaded
the files to our FTP server now.
P642R-11 ..... v2.50(AJ.2)r1
P642R-13 ..... v2.50(AL.0)r1
P642R-61 ..... v2.50(AN.1)r1
the added extension "r1" means "revision 1" (or also "recla 1").
I modified and added the filters in menu 21 and inserted them to 3.1
and 11.5 and I slightly modified the autoexec.net as described below.
In menu 21 I defined following filter sets:
-------------------------------------------
#1) NetBIOS_LAN
#2) NetBIOS_WAN
#3) TEL_FTP_WEB_WAN
#4) PPPoE
#5) SNMP_WAN
In menu 3.1) "General Ethernet Setup"
--------------------------------------
Input Filter Sets:
protocol filters= 2
device filters=
Output Filter Sets:
protocol filters=
device filters=
In menu 11.5) "Remote Node Filter"
------------------------------------
Input Filter Sets:
protocol filters= 5, 3
device filters= 4
Output Filter Sets:
protocol filters= 1
device filters=
sys edit autoexec.net
---------------------
sys errctl 0
sys trcl level 5
sys trcl type 1180
sys trcp cr 64 96
sys trcl sw off <<<- modified from "on" to "off"
sys trcp sw off <<<- modified from "on" to "off"
ip tcp mss 512
ip tcp limit 2
ip tcp irtt 65000
ip tcp window 2
ip tcp ceiling 6000
ip rip activate
ip rip merge on
ip icmp discovery enif0 off
sys wd sw off <<--- added this line
ppp ipcp compress off <<--- added this line
EOF
best regards,
Manfred Recla (ZyXEL Austria - Technical Support)
**********************************************************
ZyXEL Communications Services GmbH.
Thaliastrasse 125a/2/2/4
A-1160 Vienna, AUSTRIA
Tel: +43-1-4948677-0, Fax: +43-1-4948678
Hotline: 0810-1-ZyXEL (= 0810-1-99935), Regionaltarif
eMail: support@zyxel.at
**********************************************************
----- Original Message -----
From: "Jimmy Jensen" <jj@zyxel.dk>
To: <fchang@zyxel.com.tw>
Cc: <chfan@zyxel.com.tw>; <mtseng@zyxel.com.tw>; <mr@zyxel.at>; "ZASTECH" <zastech@zyxel.dk>
Sent: Monday, August 13, 2001 5:20 PM
Subject: ZyXEL Prestige 642 Router Administration Interface Vulnerability
FYI,
The following is taken from http://www.securityfocus.com
It describes a vulnerability because of missing filters in P642R.
I checked the new beta and saw that now these filters are applied by
default. Good!
But what about the many customers who already bought P642R ?
(See the PASSWORDS section) of the report.
ZyXEL Prestige 642R: Exposed Admin Services on WAN with Default Password
[ my original BugTraq posting here... ]
--
Daniel Roethlisberger <daniel@roe.ch>
PGP Key ID 0x8DE543ED with fingerprint
6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED
With kind regards - Med venlig hilsen
Jimmy Jensen - ZyXEL Communication A/S
Columbusvej 5, DK - 2860 Søborg
Phone (+45) 39550700 - Fax (+45) 39550707
Support Phone (+45) 39550785
Did you check http://www.zyxel.dk today?
--- end of original message ---
--
Daniel Roethlisberger <daniel@roe.ch>
PGP Key ID 0x8DE543ED with fingerprint
6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED
