DLINK 614+ - SOHO routers, DHCP service DOS

[Gregory Duchemin <c3rb3r () sympatico ca>]

TITLE: DLINK 614+ - SOHO routers, DHCP service DOS  (http://www.dlink.com)

TYPE: signedness bug

QUOTE from DLINK:

The AirPlus DI-614+ combines the latest advancements in 802.11b
silicon chip
design from Texas Instruments, utilizing their patented Digital Signal
ProcessingTM technology, and D-Link?s own robust firewall security
features.
...
A simple yet intelligent, web-based setup wizard makes the DI-614+
easy for any
user to quickly and securely connect computers to share a high-speed
Internet
connection, files, resources, games or just to communicate. An
integrated 4-port
switch allows direct connection of up to four computers. Several wireless
clients can also securely connect to the network using 64, 128, or
256-bit
encryption.
...
The D-Link AirPlus DI-614+ is the ideal networking solution for small
offices,
home offices, schools, coffee shops and other small businesses that
cater to the
public.



DETAILS:


The DI614+ SOHO router (latest firmware rev 2.30) suffers a signedness bug
in its DHCP implementation.

The DHCP option "LEASETIME" is an unsigned 32 bits
integer used both by the client and the server respectively to ask and set the lease
duration time (expressed in seconds)

quoted from RFC2132:

"9.2. IP Address Lease Time This option is used
in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client
to request a lease time for the IP address. In a server reply
(DHCPOFFER), a DHCP server uses this option to specify the lease time
it is willing to offer.
Alexander & Droms Standards Track [Page 25]
RFC 2132 DHCP Options and BOOTP Vendor Extensions March 1997 The time
is in units of seconds, and is specified as a 32-bit unsigned integer.
The code for this option is 51, and its length is 4.
"

Unfortunately, it appears that DLINK's DI614+ uses a signed
integer to store this option before comparing it with the one  
set in the web based management interface.
This comparaison determines if a requested lease time is
lesser or equal to the maximal lease time set by the administrator
and thus if it can be granted as requested by the client or instead fixed 
to its maximal value. 

This signedness bug can be triggered by sending a negative integer, so
starting from 0x80000000 up to 0xffffffff (-1) in the client's LEASETIME option.

For instance, using value 0xffffffff ((unsigned) 4 294 967 295
<=> (signed) -1), the comparaison returns true because -1 is lesser
than any possible server's lease time, but while processing the new lease entry, 
the DI614+ actually grants it with a 13+ years lease time instead of the maximal value
as defined by the box's administrator.

Other values lesser than -1 (between 0x80000000 and
0xfffffffe) seem to be just discarded during the lease registering process but are
however left untouched in the daemon's DHCP OFFER reply.

Because the DI614+ doesn't require a full DHCP handshake to register a new lease but
instead will be plain satisfied with a single DISCOVER packet including a REQUESTIP option, 
checking for either a different mac address or CLIENTID option before creating a new lease entry, 
it is straightforward, fast and quite easy to fill up the scope with boggus entries 
in a few seconds making the DHCP service unusable for 13+ years or until the next reboot.

Note that a reboot will clear any existing lease (as well as logs) and 
may introduce a subsequent chaos between DHCP clients.

DLINK 614+ is used, among others, by coffee shops, therefore a
successful exploitation may have very disturbing effects.


EXPLOITATION:

This bug can be triggered from both wire and wireless networks.


VENDOR:

DLINK's support staff has been contacted by May 24th but doesn't bother to reply


WORKAROUND:
Static leasing


VULNERABLE:

firmware up to rev 2.30 (latest)



AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)