SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   D-Link Router Vendors:   D-Link Systems, Inc.
(Vendor Issues Fix for Rev B) D-Link DI-614+ DHCP LEASETIME Integer Overflow Lets Remote Users Deny Service
SecurityTracker Alert ID:  1010623
SecurityTracker URL:  http://securitytracker.com/id/1010623
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 1 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): DI-614+; Firmware version 2.30
Description:   An integer overflow vulnerability was reported in the D-Link DI-614+ router in the DHCP implementation. A remote user can cause the router to become unusable.

Gregory Duchemin reported that the router uses a 32-bit signed integer variable to hold the LEASETIME value, which is specified as a 32-bit unsigned integer by RFC 2132. A remote user can reportedly send a negative integer value to cause the router to grant a DHCP lease with a lease time of 13 years instead of the maximum value specified by the router's administrator.

A remote user can send multiple DISCOVER packets to cause the entire lease table to fill up, rendering the DHCP service unusable, the report said.

A reboot is required to return to normal operations.

The vendor was reportedly notified on May 24, 2004 without response.

Impact:   A remote user on either the wired or wireless interfaces can consume all available DHCP leases on the target router.
Solution:   For DI-614+ Revision B, the vendor has issued new firmware (3.41) that reportedly fixes the problem.

http://support.dlink.com/products/view.asp?productid=DI%2D614%2B%5FrevB
http://support.dlink.ca/ProductView.asp?ProdID=221

No solution was available at the time of this entry for DI-614+ Revision A.

Vendor URL:  www.dlink.com/ (Links to External Site)
Cause:   Boundary error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Jun 28 2004 D-Link DI-614+ DHCP LEASETIME Integer Overflow Lets Remote Users Deny Service



 Source Message Contents

Subject:  Re: DLINK 614+ - SOHO routers, system DOS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi,
the flaws reported to DLINK on May 24th and posted to bugtraq have
been tested on a DI614+ revision A (arm7/2 antennas) firmware 2.30,
i have omitted to mention it so please update ...

However:
Rev A's latest firmware available is still 2.30 and therefore IS
vulnerable.
http://support.dlink.com/products/view.asp?productid=DI%2D614%2B
http://support.dlink.ca/ProductView.asp?ProdID=220

for Rev B it seems thay have silently released a new firmware 3.41 on
June 8
http://support.dlink.com/products/view.asp?productid=DI%2D614%2B%5FrevB
http://support.dlink.ca/ProductView.asp?ProdID=221

So according to this rep,  the flaw was also affecting revision B (as
expected) and was fixed on June 8
but in this case, what are they waiting for to patch Rev A ?

Also have you asked him about the script injection issues affecting
_at least_ their 704 and 614+ rev A and likely several other models ?
Gregory


p dont think wrote:

| FWIW, on a recent call to D-Link tech support, the rep I talked to
| went to ask someone about it, came back and said that it was an
| issue that was limited to the 604 and 614 and was fixed in the
| latest firmware release (sorry, I didn't get a version number).  I
| don't have a 614, so cannot verify.
|
| - Paul
|
|

| TITLE: DLINK 614+ - SOHO routers, system DOS
| (http://www.dlink.com)
|
| TYPE: ressources starvation / system denial of service
|
| QUOTE from DLINK:
|
| The AirPlus DI-614+ combines the latest advancements in 802.11b
| silicon chip design from Texas Instruments, utilizing their
| patented Digital Signal ProcessingTM technology, and D-Link's own
| robust firewall security features. ... The D-Link AirPlus DI-614+
| is the ideal networking solution for small offices, home offices,
| schools, coffee shops and other small businesses that cater to the
| public.
|
|
| DETAILS:
|
| The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly
|  reboot when flooded with valid DHCP REQUEST packets built with
| forged source mac addresses or unique CLIENTID and sent without any
| REQUESTEIP option. Upon reception of this kind of requests, DLINK's
| DI614+ normally behaves by checking if a lease is available and
| then reply by offering an ip address along with other network
| settings as configured through the web base interface. However if
| such packets are sent at a good enough rate, the DLINK box will be
| left in an unstable state immediately followed by a system reboot.
| Timing is quite important here and make me thinking that too much
| simultaneous requests force the SOHO router to eventually allocate
| too much memory and thus to reboot. It is actually hard to know
| with precision where the problem actually lives since no sources
| are made available for public.
|
| Note that a reboot will clear any existing lease (as well as logs)
| and may introduce a subsequent chaos between DHCP clients. Also
| note that only few seconds are necessary to DOS the box this way,
| even less time than needed by the system to reboot. So it is a
| condition of permanent denial of service.
|
| DLINK 614+ is used, among others, by coffee shops, therefore a
| successful exploitation may have very disturbing effects.
|
|
| EXPLOITATION:
|
| This bug will NOT be triggered if a REQUESTIP DHCP option is sent
| along with the request or if no ip address is available for dynamic
| lease at the time of the attack.
|
| Also for a successful exploitation, packets must be sent at a high
| enough rate (ie: 50 packets/s is working)
|
|
| VENDOR:
|
| DLINK's support staff has been contacted by May 24th but doesn't
| bother to reply
|
|
| WORKAROUND:
|
| Use static leasing only and/or disable DLINK's DHCP service
|
|
| VULNERABLE:
|
| firmware up to rev 2.30 (latest)
|
|
|
| AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFA4MWQ9K2fGbOmSdYRAuKfAJsEDfHL2Gm654LRyZdyZVd2IzU/vACdEhF8
8pptQuLcKHz+ECgCDvViKhA=
=/bD/
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC