-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
TITLE: DLINK 614+ - SOHO routers, system DOS (http://www.dlink.com)
TYPE: ressources starvation / system denial of service
QUOTE from DLINK:
The AirPlus DI-614+ combines the latest advancements in 802.11b silicon chip design from Texas Instruments, utilizing their patented Digital Signal ProcessingTM technology, and D-Link's own robust firewall security features. ... The D-Link AirPlus DI-614+ is the ideal networking solution for small offices, home offices, schools, coffee shops and other small businesses that cater to the public.
DETAILS:
The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly reboot when flooded with valid DHCP REQUEST packets built with forged source mac addresses or unique CLIENTID and sent without any REQUESTEIP option. Upon reception of this kind of requests, DLINK's DI614+ normally behaves by checking if a lease is available and then reply by offering an ip address along with other network settings as configured through the web base interface. However if such packets are sent at a good enough rate, the DLINK box will be left in an unstable state immediately followed by a system reboot. Timing is quite important here and make me thinking that too much simultaneous requests force the SOHO router to eventually allocate too much memory and thus to reboot. It is actually hard to know with precision where the problem actually lives since no sources are made available for public.
Note that a reboot will clear any existing lease (as well as logs) and may introduce a subsequent chaos between DHCP clients. Also note that only few seconds are necessary to DOS the box this way, even less time than needed by the system to reboot. So it is a condition of permanent denial of service.
DLINK 614+ is used, among others, by coffee shops, therefore a successful exploitation may have very disturbing effects.
EXPLOITATION:
This bug will NOT be triggered if a REQUESTIP DHCP option is sent along with the request or if no ip address is available for dynamic lease at the time of the attack.
Also for a successful exploitation, packets must be sent at a high enough rate (ie: 50 packets/s is working)
VENDOR:
DLINK's support staff has been contacted by May 24th but doesn't bother to reply
WORKAROUND:
Use static leasing only and/or disable DLINK's DHCP service
VULNERABLE:
firmware up to rev 2.30 (latest)
AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFA34bT9K2fGbOmSdYRAu2OAJ9bHrnk0ExcYMEJXZZROUX60vdkLACeNFTV mF/uH+rt929VhMDxuysJPug= =jTkm -----END PGP SIGNATURE-----
