[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40E73B95.3080109@sympatico.ca>
Date: Sat, 03 Jul 2004 16:04:53 -0700
From: Gregory Duchemin <c3rb3r@...patico.ca>
To: p dont think <pdontthink@...rynerds.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: DLINK 614+ - SOHO routers, system DOS
Hello,
a followup concerning the two DOSes that were found affecting DLINK's DI
614+ model.
I finally got a chance to test a DI624 revision B and i can confirm that
this model is affected by the exact
same flaws. (signedness bug/service DOS and flood/system DOS)
While it is not quite a surprise, i'm still at lost to understand why
they said this issue was limited to their 604 and 614 models
and even more surprised since they have asked me for my tool, 3 days
ago, in order to be able to reproduce the DOSes. ;-)
So DI-624 owners, please update ...
Gregory
p dont think wrote:
> FWIW, on a recent call to D-Link tech support, the rep I talked to
> went to ask someone about it, came back and said that it was an issue
> that was limited to the 604 and 614 and was fixed in the latest
> firmware release (sorry, I didn't get a version number). I don't have
> a 614, so cannot verify.
>
> - Paul
>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> TITLE: DLINK 614+ - SOHO routers, system DOS (http://www.dlink.com)
>>
>> TYPE: ressources starvation / system denial of service
>>
>> QUOTE from DLINK:
>>
>> The AirPlus DI-614+ combines the latest advancements in 802.11b
>> silicon chip
>> design from Texas Instruments, utilizing their patented Digital Signal
>> ProcessingTM technology, and D-Link's own robust firewall security
>> features.
>> ...
>> The D-Link AirPlus DI-614+ is the ideal networking solution for small
>> offices,
>> home offices, schools, coffee shops and other small businesses that
>> cater to the
>> public.
>>
>>
>> DETAILS:
>>
>> The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly
>> reboot when flooded with valid DHCP REQUEST packets
>> built with forged source mac addresses or unique CLIENTID and sent
>> without any REQUESTEIP option.
>> Upon reception of this kind of requests, DLINK's DI614+ normally
>> behaves by checking if a lease is available
>> and then reply by offering an ip address along with other network
>> settings as configured through the web base interface.
>> However if such packets are sent at a good enough rate, the DLINK box
>> will be left in an unstable state immediately followed by a system
>> reboot.
>> Timing is quite important here and make me thinking that too much
>> simultaneous requests force the SOHO router to eventually allocate
>> too much memory and thus to reboot.
>> It is actually hard to know with precision where the problem actually
>> lives since no sources are made available for public.
>>
>> Note that a reboot will clear any existing lease (as well as logs) and
>> may introduce a subsequent chaos between DHCP clients.
>> Also note that only few seconds are necessary to DOS the box this way,
>> even less time than needed by the system to reboot.
>> So it is a condition of permanent denial of service.
>>
>> DLINK 614+ is used, among others, by coffee shops, therefore a
>> successful exploitation may have very disturbing effects.
>>
>>
>> EXPLOITATION:
>>
>> This bug will NOT be triggered if a REQUESTIP DHCP option is sent
>> along with the request
>> or if no ip address is available for dynamic lease at the time of the
>> attack.
>>
>> Also for a successful exploitation, packets must be sent at a high
>> enough rate (ie: 50 packets/s is working)
>>
>>
>> VENDOR:
>>
>> DLINK's support staff has been contacted by May 24th but doesn't
>> bother to reply
>>
>>
>> WORKAROUND:
>>
>> Use static leasing only and/or disable DLINK's DHCP service
>>
>>
>> VULNERABLE:
>>
>> firmware up to rev 2.30 (latest)
>>
>>
>>
>> AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.4 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFA34bT9K2fGbOmSdYRAu2OAJ9bHrnk0ExcYMEJXZZROUX60vdkLACeNFTV
>> mF/uH+rt929VhMDxuysJPug=
>> =jTkm
>> -----END PGP SIGNATURE-----
>
>
Powered by blists - more mailing lists