SV: Zyxel / Netgear and probably other routers leaking information.

To: "Viktor E Larionov" <viktor@xxxxxxxxx>
Subject: SV: Zyxel / Netgear and probably other routers leaking information.
From: "Jens Kalvik" <Jens.Kalvik@xxxxxxxxx>
Date: Tue, 1 Feb 2005 08:56:15 +0100
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcUH2TvDAGVLOGImRGuSxa3kGqKfrwAV1GHw
Thread-topic: Zyxel / Netgear and probably other routers leaking information.

Hi!

I was a bit quick on this, it seems as Zyxels routers latest firmware solves 
the problem. We made an upgrade from an older firmware to the latest, but 
forgot to empty the arp cache on the computer, so it looked as the problem was 
still there. But the problem with Netgear RT311 and RT314 is still there, and 
they even respond when I ping the LAN side from the WAN side. The firmware used 
on the Netgear routers are  V3.26(CA.0), this firmware was mailed to me by 
Netgear, but does not solve the problem. To make it easier for you to 
understand what I mean you can also see it like this: 

1. Configure a computer to be able to surf the Internet using the router as 
protection.
2. Move the computer from LAN side to WAN side of the router without changing 
IP configuration.

When you ping the LAN side from the WAN side there will still be an answer, so 
the router is leaking.

-----Ursprungligt meddelande-----
Från: Viktor E Larionov [mailto:viktor@xxxxxxxxx] 
Skickat: den 31 januari 2005 22:10
Till: Jens Kalvik
Kopia: bugtraq@xxxxxxxxxxxxxxxxx
Ämne: Re: Zyxel / Netgear and probably other routers leaking information.


Hey Jens,
In general Zyxel is not as it used to be. We had a lot of problems with their 
wlan equipment, not working as it should.

> the result must be that if I send a packet with the same destination 
> IP as the routers LAN IP, I will get an ARP reply from the WAN side. 
> This can be used to get information about which IP adresses are used 
> on the LAN side when you are sitting on the WAN side. It
- Hmmmm sounds quite strange, if you know the lan ip of the router why do you 
need to know the structure of ips used inside ? They are as well in the same 
subnet as the routers lan adress.
- Concerning that other issue on pinging from WAN - well i belive that it 
shouldn't work at all - just because you use different subnets on the client 
machine and a routers WAN interface, the routers key problem is that as i 
understand it doesn't make a difference from which port is the packet coming, 
as far as he has a valid source-ip that is allocated on whatever subnet which 
is connected to whatever port on the router, then the router will answer him 
from the ip on the same subnet as the client machine. Well i really belive it's 
a peculiar behaviour not more than that.


---
"To beer, or not to beer ?" /*ShakesBeer*/

WBR,
Mr. Victor E Larionov
system administrator

Esknet Ltd.
Gonsiori 33, 10147, Tallinn

Tel:    +372 6010248
Fax:    +372 6050293
GSM:    +372 53496972
E-mail: viktor@xxxxxxxxx

Prev by Date: Re: [Full-Disclosure] [ GLSA 200501-40 ] ngIRCd: Buffer overflow
Next by Date: [ GLSA 200502-05 ] Newspost: Buffer overflow vulnerability
Previous by thread: Zyxel / Netgear and probably other routers leaking information.
Next by thread: New Whitepaper available on security best practices
Index(es):
- Date
- Thread