lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40D69E6B.6050606@sympatico.ca>
Date: Mon, 21 Jun 2004 01:38:03 -0700
From: c3rb3r <c3rb3r@...patico.ca>
To: bugtraq@...urityfocus.com
Subject: DLINK 704, script injection vulnerability


TITLE: Security flaw in DLINK 704 - SOHO routers (http://www.dlink.com)

TYPE: Script injection over DHCP

QUOTE from DLINK (actually for the DLINK 704p):

The DI-704P is an Ethernet Broadband Router with a built-in 4-port switch. It 
also features a parallel port to share a printer on the home or office network 
and includes a print server application for Windows*. As many as four computers 
can be connected to the router’s integrated switch, using its four 10/100Mbps 
AutoMDIX Ethernet ports. The DI-704P package even includes an Ethernet cable to 
get you started. 
...
So, whether you are a college student who wants to network with friends and 
roommates, an executive working at home or in a small office, or a concerned 
parent who just wants to have more control over how your children access the 
Internet, then the D-Link Express EtherNetwork^TM  DI-704P is the 
networking solution for you, even if you don’t know anything about networking. 


DETAILS:


The DI-704 SOHO router (latest firmware rev 2.60B2) suffers a "script
injection over dhcp" vulnerability.
Using DHCP as a vector, arbitrary and malicious scripting can be
injected into the DHCP/fixed mapping and logs pages (if enabled)

Scripting sent in such a way will be executed on behalf of the unaware
administrator when he consult the web based management interface and may
lead to the complete compromising of the firewall/router giving full access to the administrative account.

Like the DI-614+, DLINK's DI-704 does not filter data passed to it through the DHCP
HOSTNAME option and doesn't even bother truncating this string making exploitation even faster
in one packet. 

Among possible malicious actions, one can:

- Set snmp read/write communities of his choice and bindings them on the
external interface (not really exciting though)
- Redirect the page DHCP/fixed mapping to a malicious site presenting a fake DI-704 timeout/relogin page to get
the admin password (clearly better)

Because the DI-704 has no wireless interface attached, risk is moderate, 
still a successful exploitation may have critical impacts. 


EXPLOITATION:

one valid DHCP REQUEST carrying a malicious HOSTNAME, that's it.


VENDOR:

DLINK's support staff has been contacted by May 24th but didn't reply on this issue
It looks like the DI-704 has been discontinued, however a quick glance into the firmware reveals 
several references to other DLINK models as well. 
In other words it is likely that several other models are affected by this very same problem.  


WORKAROUND:
Use static leasing only (it fixes the hostname) otherwise just use a
real dhcpd daemon (and disable DLINK dhcpd)


VULNERABLE:

firmware up to rev 2.60B2 (latest)



AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ