lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40DF86D3.4070300@sympatico.ca>
Date: Sun, 27 Jun 2004 19:47:47 -0700
From: Gregory Duchemin <c3rb3r@...patico.ca>
To: bugtraq@...urityfocus.com
Subject: DLINK 614+ - SOHO routers, system DOS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
TITLE: DLINK 614+ - SOHO routers, system DOS  (http://www.dlink.com)

TYPE: ressources starvation / system denial of service

QUOTE from DLINK:

The AirPlus DI-614+ combines the latest advancements in 802.11b
silicon chip
design from Texas Instruments, utilizing their patented Digital Signal
ProcessingTM technology, and D-Link's own robust firewall security
features.
...
The D-Link AirPlus DI-614+ is the ideal networking solution for small
offices,
home offices, schools, coffee shops and other small businesses that
cater to the
public.


DETAILS:

The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly
reboot when flooded with valid DHCP REQUEST packets
built with forged source mac addresses or unique CLIENTID and sent
without any REQUESTEIP option.
Upon reception of this kind of requests, DLINK's DI614+ normally
behaves by checking if a lease is available
and then reply by offering an ip address along with other network
settings as configured through the web base interface.
However if such packets are sent at a good enough rate, the DLINK box
will be left in an unstable state immediately followed by a system reboot.
Timing is quite important here and make me thinking that too much
simultaneous requests force the SOHO router to eventually allocate
too much memory and thus to reboot.
It is actually hard to know with precision where the problem actually
lives since no sources are made available for public.

Note that a reboot will clear any existing lease (as well as logs) and
may introduce a subsequent chaos between DHCP clients.
Also note that only few seconds are necessary to DOS the box this way,
even less time than needed by the system to reboot.
So it is a condition of permanent denial of service.

DLINK 614+ is used, among others, by coffee shops, therefore a
successful exploitation may have very disturbing effects.


EXPLOITATION:

This bug will NOT be triggered if a REQUESTIP DHCP option is sent
along with the request
or if no ip address is available for dynamic lease at the time of the
attack.

Also for a successful exploitation, packets must be sent at a high
enough rate (ie: 50 packets/s is working)


VENDOR:

DLINK's support staff has been contacted by May 24th but doesn't
bother to reply


WORKAROUND:

Use static leasing only and/or disable DLINK's DHCP service


VULNERABLE:

firmware up to rev 2.30 (latest)



AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFA34bT9K2fGbOmSdYRAu2OAJ9bHrnk0ExcYMEJXZZROUX60vdkLACeNFTV
mF/uH+rt929VhMDxuysJPug=
=jTkm
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ