SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   D-Link Router Vendors:   D-Link Systems, Inc.
(Vendor Issues Fix for Rev B) D-Link DI-614+ Router Can Be Crashed With Certain DHCP Requests
SecurityTracker Alert ID:  1010622
SecurityTracker URL:  http://securitytracker.com/id/1010622
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 1 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Model number DI-614+; firmware version 2.30
Description:   A denial of service vulnerability was reported in the D-Link DI-614+ router. A remote user can cause the router to crash.

Gregory Duchemin reported that a remote user can flood the target device with specially crafted DHCP packets to cause the device to become unstable and then reboot.

Packets with a forged source MAC addresses or unique CLIENTID value that are sent without any REQUESTEIP option can trigger the flaw, the report said.

The report indicated that sustained traffic of approximately 50 packets per second sent for a few seconds can cause denial of service conditions.

The vendor was reportedly notified on May 24, 2004.

Impact:   A remote user can cause the target device to crash and reboot.
Solution:   For DI-614+ Revision B, the vendor has issued new firmware (3.41) that reportedly fixes the problem.

http://support.dlink.com/products/view.asp?productid=DI%2D614%2B%5FrevB
http://support.dlink.ca/ProductView.asp?ProdID=221

No solution was available at the time of this entry for DI-614+ Revision A.

Vendor URL:  www.dlink.com/ (Links to External Site)
Cause:   Not specified

Message History:   This archive entry is a follow-up to the message listed below.
Jun 28 2004 D-Link DI-614+ Router Can Be Crashed With Certain DHCP Requests



 Source Message Contents

Subject:  Re: DLINK 614+ - SOHO routers, system DOS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,
the flaws reported to DLINK on May 24th and posted to bugtraq have
been tested on a DI614+ revision A (arm7/2 antennas) firmware 2.30,
i have omitted to mention it so please update ...

However:
Rev A's latest firmware available is still 2.30 and therefore IS
vulnerable.
http://support.dlink.com/products/view.asp?productid=DI%2D614%2B
http://support.dlink.ca/ProductView.asp?ProdID=220

for Rev B it seems thay have silently released a new firmware 3.41 on
June 8
http://support.dlink.com/products/view.asp?productid=DI%2D614%2B%5FrevB
http://support.dlink.ca/ProductView.asp?ProdID=221

So according to this rep,  the flaw was also affecting revision B (as
expected) and was fixed on June 8
but in this case, what are they waiting for to patch Rev A ?

Also have you asked him about the script injection issues affecting
_at least_ their 704 and 614+ rev A and likely several other models ?
Gregory


p dont think wrote:

| FWIW, on a recent call to D-Link tech support, the rep I talked to
| went to ask someone about it, came back and said that it was an
| issue that was limited to the 604 and 614 and was fixed in the
| latest firmware release (sorry, I didn't get a version number).  I
| don't have a 614, so cannot verify.
|
| - Paul
|
|

| TITLE: DLINK 614+ - SOHO routers, system DOS
| (http://www.dlink.com)
|
| TYPE: ressources starvation / system denial of service
|
| QUOTE from DLINK:
|
| The AirPlus DI-614+ combines the latest advancements in 802.11b
| silicon chip design from Texas Instruments, utilizing their
| patented Digital Signal ProcessingTM technology, and D-Link's own
| robust firewall security features. ... The D-Link AirPlus DI-614+
| is the ideal networking solution for small offices, home offices,
| schools, coffee shops and other small businesses that cater to the
| public.
|
|
| DETAILS:
|
| The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly
|  reboot when flooded with valid DHCP REQUEST packets built with
| forged source mac addresses or unique CLIENTID and sent without any
| REQUESTEIP option. Upon reception of this kind of requests, DLINK's
| DI614+ normally behaves by checking if a lease is available and
| then reply by offering an ip address along with other network
| settings as configured through the web base interface. However if
| such packets are sent at a good enough rate, the DLINK box will be
| left in an unstable state immediately followed by a system reboot.
| Timing is quite important here and make me thinking that too much
| simultaneous requests force the SOHO router to eventually allocate
| too much memory and thus to reboot. It is actually hard to know
| with precision where the problem actually lives since no sources
| are made available for public.
|
| Note that a reboot will clear any existing lease (as well as logs)
| and may introduce a subsequent chaos between DHCP clients. Also
| note that only few seconds are necessary to DOS the box this way,
| even less time than needed by the system to reboot. So it is a
| condition of permanent denial of service.
|
| DLINK 614+ is used, among others, by coffee shops, therefore a
| successful exploitation may have very disturbing effects.
|
|
| EXPLOITATION:
|
| This bug will NOT be triggered if a REQUESTIP DHCP option is sent
| along with the request or if no ip address is available for dynamic
| lease at the time of the attack.
|
| Also for a successful exploitation, packets must be sent at a high
| enough rate (ie: 50 packets/s is working)
|
|
| VENDOR:
|
| DLINK's support staff has been contacted by May 24th but doesn't
| bother to reply
|
|
| WORKAROUND:
|
| Use static leasing only and/or disable DLINK's DHCP service
|
|
| VULNERABLE:
|
| firmware up to rev 2.30 (latest)
|
|
|
| AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFA4MWQ9K2fGbOmSdYRAuKfAJsEDfHL2Gm654LRyZdyZVd2IzU/vACdEhF8
8pptQuLcKHz+ECgCDvViKhA=
=/bD/
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC