Re: DLINK 614+ - SOHO routers, system DOS

[Gregory Duchemin <c3rb3r () sympatico ca>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the flaws reported to DLINK on May 24th and posted to bugtraq have
been tested on a DI614+ revision A (arm7/2 antennas) firmware 2.30,
i have omitted to mention it so please update ...

However:
Rev A's latest firmware available is still 2.30 and therefore IS
vulnerable.
http://support.dlink.com/products/view.asp?productid=DI%2D614%2B
http://support.dlink.ca/ProductView.asp?ProdID=220

for Rev B it seems thay have silently released a new firmware 3.41 on
June 8
http://support.dlink.com/products/view.asp?productid=DI%2D614%2B%5FrevB
http://support.dlink.ca/ProductView.asp?ProdID=221

So according to this rep,  the flaw was also affecting revision B (as
expected) and was fixed on June 8
but in this case, what are they waiting for to patch Rev A ?

Also have you asked him about the script injection issues affecting
_at least_ their 704 and 614+ rev A and likely several other models ?
Gregory


p dont think wrote:

| FWIW, on a recent call to D-Link tech support, the rep I talked to
| went to ask someone about it, came back and said that it was an
| issue that was limited to the 604 and 614 and was fixed in the
| latest firmware release (sorry, I didn't get a version number).  I
| don't have a 614, so cannot verify.
|
| - Paul
|
|

| TITLE: DLINK 614+ - SOHO routers, system DOS
| (http://www.dlink.com)
|
| TYPE: ressources starvation / system denial of service
|
| QUOTE from DLINK:
|
| The AirPlus DI-614+ combines the latest advancements in 802.11b
| silicon chip design from Texas Instruments, utilizing their
| patented Digital Signal ProcessingTM technology, and D-Link's own
| robust firewall security features. ... The D-Link AirPlus DI-614+
| is the ideal networking solution for small offices, home offices,
| schools, coffee shops and other small businesses that cater to the
| public.
|
|
| DETAILS:
|
| The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly
|  reboot when flooded with valid DHCP REQUEST packets built with
| forged source mac addresses or unique CLIENTID and sent without any
| REQUESTEIP option. Upon reception of this kind of requests, DLINK's
| DI614+ normally behaves by checking if a lease is available and
| then reply by offering an ip address along with other network
| settings as configured through the web base interface. However if
| such packets are sent at a good enough rate, the DLINK box will be
| left in an unstable state immediately followed by a system reboot.
| Timing is quite important here and make me thinking that too much
| simultaneous requests force the SOHO router to eventually allocate
| too much memory and thus to reboot. It is actually hard to know
| with precision where the problem actually lives since no sources
| are made available for public.
|
| Note that a reboot will clear any existing lease (as well as logs)
| and may introduce a subsequent chaos between DHCP clients. Also
| note that only few seconds are necessary to DOS the box this way,
| even less time than needed by the system to reboot. So it is a
| condition of permanent denial of service.
|
| DLINK 614+ is used, among others, by coffee shops, therefore a
| successful exploitation may have very disturbing effects.
|
|
| EXPLOITATION:
|
| This bug will NOT be triggered if a REQUESTIP DHCP option is sent
| along with the request or if no ip address is available for dynamic
| lease at the time of the attack.
|
| Also for a successful exploitation, packets must be sent at a high
| enough rate (ie: 50 packets/s is working)
|
|
| VENDOR:
|
| DLINK's support staff has been contacted by May 24th but doesn't
| bother to reply
|
|
| WORKAROUND:
|
| Use static leasing only and/or disable DLINK's DHCP service
|
|
| VULNERABLE:
|
| firmware up to rev 2.30 (latest)
|
|
|
| AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA4MWQ9K2fGbOmSdYRAuKfAJsEDfHL2Gm654LRyZdyZVd2IzU/vACdEhF8
8pptQuLcKHz+ECgCDvViKhA=
=/bD/
-----END PGP SIGNATURE-----