[24638] in bugtraq
ZyXEL ZyWALL10 DoS
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Knud_Erik_H=F8jgaar)
Tue Mar 12 17:32:26 2002
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Mon, 11 Mar 2002 12:21:56 +0100
Message-ID: <6096F6426539904EB650ED340F28450BCCBE07@Helium.cc.CyberCity.dk>
From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <knud@cybercity.dk>
To: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
[vendor status]
About half a year ago I found a 'funny' DoS condition in the ZyWALL10. ZyXEL was informed, and they at least confirmed the bug, but i believe that's all i heard. According to www.zyxel.com a new firmware for the ZyWALL10 was released 2002/01/10 - i wrote an email to a ZyXEL employee, and the bug is fixed in this version.
[description]
The DoS is simple, using nemesis-arp (from The NEMESIS Project) or a similar tool (like arp-fun) it's possible to make the firewall drop its LAN connection.
If you send an arp packet containing some bogus/random MAC address and the firewalls ip to the firewalls lan interface the firewall will 'down' the lan interface and never 'up' it again. The firewall needs a powercycle to restore function, but thats not all. The firewall never 'reopens' the lan interface, so you need to connect via a console cable, go to the lan setup menu, and press enter a few times to 'confirm' the settings to get it back in working order. Sort of a pain in the rear if the firewall is behind a locked door..
[reproduction]
nemesis-arp -S 10.0.0.1 -D 10.0.0.1 -h de:ad:ba:be:f0:0d -d ed1
(in this case the firewall's IP is 10.0.0.1 and the ethernet adapter is ed1)
[hello]
Manzon, Merkinball, SiGNOUT, evilpoo, ewadoh, |ole|, zaarnik, ZyXEL.
[bye]
From me, Knud Erik Højgaard.
