SV: Zyxel / Netgear and probably other routers leaking information.
Hi!
I was a bit quick on this, it seems as Zyxels routers latest firmware solves
the problem. We made an upgrade from an older firmware to the latest, but
forgot to empty the arp cache on the computer, so it looked as the problem was
still there. But the problem with Netgear RT311 and RT314 is still there, and
they even respond when I ping the LAN side from the WAN side. The firmware used
on the Netgear routers are V3.26(CA.0), this firmware was mailed to me by
Netgear, but does not solve the problem. To make it easier for you to
understand what I mean you can also see it like this:
1. Configure a computer to be able to surf the Internet using the router as
protection.
2. Move the computer from LAN side to WAN side of the router without changing
IP configuration.
When you ping the LAN side from the WAN side there will still be an answer, so
the router is leaking.
-----Ursprungligt meddelande-----
Från: Viktor E Larionov [mailto:viktor@xxxxxxxxx]
Skickat: den 31 januari 2005 22:10
Till: Jens Kalvik
Kopia: bugtraq@xxxxxxxxxxxxxxxxx
Ämne: Re: Zyxel / Netgear and probably other routers leaking information.
Hey Jens,
In general Zyxel is not as it used to be. We had a lot of problems with their
wlan equipment, not working as it should.
> the result must be that if I send a packet with the same destination
> IP as the routers LAN IP, I will get an ARP reply from the WAN side.
> This can be used to get information about which IP adresses are used
> on the LAN side when you are sitting on the WAN side. It
- Hmmmm sounds quite strange, if you know the lan ip of the router why do you
need to know the structure of ips used inside ? They are as well in the same
subnet as the routers lan adress.
- Concerning that other issue on pinging from WAN - well i belive that it
shouldn't work at all - just because you use different subnets on the client
machine and a routers WAN interface, the routers key problem is that as i
understand it doesn't make a difference from which port is the packet coming,
as far as he has a valid source-ip that is allocated on whatever subnet which
is connected to whatever port on the router, then the router will answer him
from the ip on the same subnet as the client machine. Well i really belive it's
a peculiar behaviour not more than that.
---
"To beer, or not to beer ?" /*ShakesBeer*/
WBR,
Mr. Victor E Larionov
system administrator
Esknet Ltd.
Gonsiori 33, 10147, Tallinn
Tel: +372 6010248
Fax: +372 6050293
GSM: +372 53496972
E-mail: viktor@xxxxxxxxx