dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1169

mozerd
Light Will Pierce The Darkness
MVM
join:2004-04-23
Nepean, ON

mozerd

MVM

EXPLOIT Ethereal SIP UDP CSeq overflow

»mysecurity.zyxel.com/mys ··· =8002735

Recommendation Action:

Apply the appropriate vendor supplied patch

Upgrade to the latest non-affected version of the software.

Anyone know what they mean by the above quote:
Which software?
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

Ethereal, but if you use that, you should change to Wireshark anyway.

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera to mozerd

MVM

to mozerd
The link you provided has some details:
quote:

This event is generated when an attempt is made to exploit a known
vulnerability in Ethereal.

The ZyXEL detected an attack against Ethereal
quote:
In particular, this event indicates that the
exploit was attempted via the processing of tcp packets in a SIP
protocol transaction.

More details about the attack, although its not clear if a) Zyxel security routers have Ethereal (there is a packet sniffer in Zyxel Linux based routers), and b) if Zyxel routers have Ethereal if they are affected by this exploit.

Food for thought:
»USG100 dropping SIP connections
JPedroT
Premium Member
join:2005-02-18

JPedroT

Premium Member

Ethereal on a embed device? That is a ton of memory space you will never get back...

TCPDUMP or maybe even TSHARK are the ones running on the USG, Ethereal needs x windows and what not if I remember correctly.

But its not in the impossible domain, but highly unlikely, since Ethereal is the GUI/analytic layer/tool on top of the pcap libraries.

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera

MVM

Keep in mind that tethereal is the command-line version (like tshark), it doesn't require a GUI and the exploit appears to be targeting lower-level Ethereal packet inspection (and not GUI layers).

Ethereal/Wireshark are more powerful than tcpdump, haven't really looked at the ZyWALL and USG packet trace facility for clues which is being used... Both tcpdump and tethereal and tshark use libpcap.

Agree with your basic premise, that the extra features of command-line only tethereal or tshark are likely not worth the extra flash space and therefore USG/ZyWALL routers are more likely to use tcpdump

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

said by bbarrera:

... haven't really looked at the ZyWALL and USG packet trace facility for clues which is being used...

it's tcpdump

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera

MVM

thanks, I was hoping you would drop by and answer the question

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav

Premium Member

Brano wears an S under that doggy skin, but don't tell anyone. Tis a noble task ensuring the titans (BB and JP) stay on Mount OZyxel.