D-Link DI-614+ DHCP LEASETIME Integer Overflow Lets Remote Users Deny Service
SecurityTracker Alert ID: 1010601|
SecurityTracker URL: http://securitytracker.com/id/1010601
(Links to External Site)
Updated: Jul 15 2004|
Original Entry Date: Jun 28 2004
Denial of service via network|
Exploit Included: Yes |
Version(s): DI-614+; Firmware version 2.30|
An integer overflow vulnerability was reported in the D-Link DI-614+ router in the DHCP implementation. A remote user can cause the router to become unusable.|
Gregory Duchemin reported that the router uses a 32-bit signed integer variable to hold the LEASETIME value, which is specified as a 32-bit unsigned integer by RFC 2132. A remote user can reportedly send a negative integer value to cause the router to grant a DHCP lease with a lease time of 13 years instead of the maximum value specified by the router's administrator.
A remote user can send multiple DISCOVER packets to cause the entire lease table to fill up, rendering the DHCP service unusable, the report said.
A reboot is required to return to normal operations.
The vendor was reportedly notified on May 24, 2004 without response.
A remote user on either the wired or wireless interfaces can consume all available DHCP leases on the target router.|
No solution was available at the time of this entry.|
Vendor URL: www.dlink.com/ (Links to External Site)
Boundary error, State error|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: DLINK 614+ - SOHO routers, DHCP service DOS|
TITLE: DLINK 614+ - SOHO routers, DHCP service DOS (http://www.dlink.com)
TYPE: signedness bug
QUOTE from DLINK:
The AirPlus DI-614+ combines the latest advancements in 802.11b
design from Texas Instruments, utilizing their patented Digital Signal
ProcessingTM technology, and D-Link?s own robust firewall security
A simple yet intelligent, web-based setup wizard makes the DI-614+
easy for any
user to quickly and securely connect computers to share a high-speed
connection, files, resources, games or just to communicate. An
switch allows direct connection of up to four computers. Several wireless
clients can also securely connect to the network using 64, 128, or
The D-Link AirPlus DI-614+ is the ideal networking solution for small
home offices, schools, coffee shops and other small businesses that
cater to the
The DI614+ SOHO router (latest firmware rev 2.30) suffers a signedness bug
in its DHCP implementation.
The DHCP option "LEASETIME" is an unsigned 32 bits
integer used both by the client and the server respectively to ask and set the lease
duration time (expressed in seconds)
quoted from RFC2132:
"9.2. IP Address Lease Time This option is used
in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client
to request a lease time for the IP address. In a server reply
(DHCPOFFER), a DHCP server uses this option to specify the lease time
it is willing to offer.
Alexander & Droms Standards Track [Page 25]
RFC 2132 DHCP Options and BOOTP Vendor Extensions March 1997 The time
is in units of seconds, and is specified as a 32-bit unsigned integer.
The code for this option is 51, and its length is 4.
Unfortunately, it appears that DLINK's DI614+ uses a signed
integer to store this option before comparing it with the one
set in the web based management interface.
This comparaison determines if a requested lease time is
lesser or equal to the maximal lease time set by the administrator
and thus if it can be granted as requested by the client or instead fixed
to its maximal value.
This signedness bug can be triggered by sending a negative integer, so
starting from 0x80000000 up to 0xffffffff (-1) in the client's LEASETIME option.
For instance, using value 0xffffffff ((unsigned) 4 294 967 295
<=> (signed) -1), the comparaison returns true because -1 is lesser
than any possible server's lease time, but while processing the new lease entry,
the DI614+ actually grants it with a 13+ years lease time instead of the maximal value
as defined by the box's administrator.
Other values lesser than -1 (between 0x80000000 and
0xfffffffe) seem to be just discarded during the lease registering process but are
however left untouched in the daemon's DHCP OFFER reply.
Because the DI614+ doesn't require a full DHCP handshake to register a new lease but
instead will be plain satisfied with a single DISCOVER packet including a REQUESTIP option,
checking for either a different mac address or CLIENTID option before creating a new lease entry,
it is straightforward, fast and quite easy to fill up the scope with boggus entries
in a few seconds making the DHCP service unusable for 13+ years or until the next reboot.
Note that a reboot will clear any existing lease (as well as logs) and
may introduce a subsequent chaos between DHCP clients.
DLINK 614+ is used, among others, by coffee shops, therefore a
successful exploitation may have very disturbing effects.
This bug can be triggered from both wire and wireless networks.
DLINK's support staff has been contacted by May 24th but doesn't bother to reply
firmware up to rev 2.30 (latest)
AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)