Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: possible exploit: D-Link DI-804 unauthorized DHCP release from WAN

From: "Roger McLaren" <RMcLaren () vcss k12 ca us>
Date: Thu, 22 Aug 2002 13:22:05 -0700
I have seen this on my DI-804.

The problem is actually broader than just a DOS. Specifically, the
'Device Information' and 'Device Status' pages are accessible without
logging in. 

The device information page lists the device name, firmware version,
and the MAC addresses for both the LAN and WAN interface.

The Device Status page lists the connection information... ie: WAN IP,
Netmask and DNS, Allows DHCP release and renew, and displays the local
LAN DHCP log. The DHCP log lists all (not just those allocated by DHCP)
IP addresses on the LAN (It is really more of an ARP table), and their
associated MAC address. 

This is especially valuable information if you happen to have a
wireless LAN that uses MAC access control lists.

If you MUST use remote administration, I would strongly suggest
changing the HTTP port and implementing WAN filters.

Roger R. McLaren
Systems Support Analyst
Information Technology Services
Ventura County Superintendent of Schools Office





Jens Jensen <jpj () netcom-usa com> 08/22/02 12:06AM >>>



Problem: malicious user can release DHCP client on D-Link DI-804 router

interrupting network communications

I need some other D-Link DI-804 users (as well as other dlink routers)
to
see if they can reproduce this problem--
With "remote administration" mode enabled to any IP (web interface wide

open
on WAN side), It seems that a malicious user can activate DHCP
release/renew without first being authenticated as the admin
(priviledged
user)

the webpage that I can get to on the dlink built in web interface is
http://xxx.xxx.xxx.xxx/release.htm 
where xxx.xxx.xxx.xxx is the ip address of your router, specifically
for
these purposes, the wan ip address

firmware: 4.68
device: DI-804

This would be a BAD thing, since an attacker could interrupt
communications
on the router
This can be temporarily fixed by either disabling "remote
administration" 
or limiting the IP addresses allowed to remote admin.
I have submitted this to D-Link support.
I'm also wondering what other D-Link routers this could affect.

Jens Jensen
MCP, CCNA
Previous By Date Next
Previous By Thread Next

Current thread: