Re: DLINK 614+ - SOHO routers, system DOS

[Gregory Duchemin <c3rb3r () sympatico ca>]

Hello,
a followup concerning the two DOSes that were found affecting DLINK's DI 
614+ model.
I finally got a chance to test a DI624 revision B and i can confirm that 
this model is affected by the exact
same flaws. (signedness bug/service DOS and flood/system DOS)
While it is not quite a surprise, i'm still at lost to understand why 
they said this issue was limited to their 604 and 614 models
and even more surprised since they have asked me for my tool, 3 days 
ago, in order to be able to reproduce the DOSes. ;-)
So DI-624 owners, please update ...

Gregory



p dont think wrote:

> FWIW, on a recent call to D-Link tech support, the rep I talked to 
> went to ask someone about it, came back and said that it was an issue 
> that was limited to the 604 and 614 and was fixed in the latest 
> firmware release (sorry, I didn't get a version number).  I don't have 
> a 614, so cannot verify.
>
>  - Paul
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > TITLE: DLINK 614+ - SOHO routers, system DOS  (http://www.dlink.com)
> >
> > TYPE: ressources starvation / system denial of service
> >
> > QUOTE from DLINK:
> >
> > The AirPlus DI-614+ combines the latest advancements in 802.11b
> > silicon chip
> > design from Texas Instruments, utilizing their patented Digital Signal
> > ProcessingTM technology, and D-Link's own robust firewall security
> > features.
> > ...
> > The D-Link AirPlus DI-614+ is the ideal networking solution for small
> > offices,
> > home offices, schools, coffee shops and other small businesses that
> > cater to the
> > public.
> >
> >
> > DETAILS:
> >
> > The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly
> > reboot when flooded with valid DHCP REQUEST packets
> > built with forged source mac addresses or unique CLIENTID and sent
> > without any REQUESTEIP option.
> > Upon reception of this kind of requests, DLINK's DI614+ normally
> > behaves by checking if a lease is available
> > and then reply by offering an ip address along with other network
> > settings as configured through the web base interface.
> > However if such packets are sent at a good enough rate, the DLINK box
> > will be left in an unstable state immediately followed by a system 
> > reboot.
> > Timing is quite important here and make me thinking that too much
> > simultaneous requests force the SOHO router to eventually allocate
> > too much memory and thus to reboot.
> > It is actually hard to know with precision where the problem actually
> > lives since no sources are made available for public.
> >
> > Note that a reboot will clear any existing lease (as well as logs) and
> > may introduce a subsequent chaos between DHCP clients.
> > Also note that only few seconds are necessary to DOS the box this way,
> > even less time than needed by the system to reboot.
> > So it is a condition of permanent denial of service.
> >
> > DLINK 614+ is used, among others, by coffee shops, therefore a
> > successful exploitation may have very disturbing effects.
> >
> >
> > EXPLOITATION:
> >
> > This bug will NOT be triggered if a REQUESTIP DHCP option is sent
> > along with the request
> > or if no ip address is available for dynamic lease at the time of the
> > attack.
> >
> > Also for a successful exploitation, packets must be sent at a high
> > enough rate (ie: 50 packets/s is working)
> >
> >
> > VENDOR:
> >
> > DLINK's support staff has been contacted by May 24th but doesn't
> > bother to reply
> >
> >
> > WORKAROUND:
> >
> > Use static leasing only and/or disable DLINK's DHCP service
> >
> >
> > VULNERABLE:
> >
> > firmware up to rev 2.30 (latest)
> >
> >
> >
> > AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFA34bT9K2fGbOmSdYRAu2OAJ9bHrnk0ExcYMEJXZZROUX60vdkLACeNFTV
> > mF/uH+rt929VhMDxuysJPug=
> > =jTkm
> > -----END PGP SIGNATURE-----