TITLE: DLINK 614+ - SOHO routers, DHCP service DOS (http://www.dlink.com)
TYPE: signedness bug
QUOTE from DLINK:
The AirPlus DI-614+ combines the latest advancements in 802.11b silicon chip design from Texas Instruments, utilizing their patented Digital Signal ProcessingTM technology, and D-Link?s own robust firewall security features. ... A simple yet intelligent, web-based setup wizard makes the DI-614+ easy for any user to quickly and securely connect computers to share a high-speed Internet connection, files, resources, games or just to communicate. An integrated 4-port switch allows direct connection of up to four computers. Several wireless clients can also securely connect to the network using 64, 128, or 256-bit encryption. ... The D-Link AirPlus DI-614+ is the ideal networking solution for small offices, home offices, schools, coffee shops and other small businesses that cater to the public.
DETAILS:
The DI614+ SOHO router (latest firmware rev 2.30) suffers a signedness bug in its DHCP implementation.
The DHCP option "LEASETIME" is an unsigned 32 bits integer used both by the client and the server respectively to ask and set the lease duration time (expressed in seconds)
quoted from RFC2132:
"9.2. IP Address Lease Time This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. Alexander & Droms Standards Track [Page 25] RFC 2132 DHCP Options and BOOTP Vendor Extensions March 1997 The time is in units of seconds, and is specified as a 32-bit unsigned integer. The code for this option is 51, and its length is 4. "
Unfortunately, it appears that DLINK's DI614+ uses a signed
integer to store this option before comparing it with the one set in the web based management interface.
This comparaison determines if a requested lease time is
lesser or equal to the maximal lease time set by the administrator
and thus if it can be granted as requested by the client or instead fixed to its maximal value.
This signedness bug can be triggered by sending a negative integer, so starting from 0x80000000 up to 0xffffffff (-1) in the client's LEASETIME option.
For instance, using value 0xffffffff ((unsigned) 4 294 967 295
<=> (signed) -1), the comparaison returns true because -1 is lesser
than any possible server's lease time, but while processing the new lease entry, the DI614+ actually grants it with a 13+ years lease time instead of the maximal value
as defined by the box's administrator.
Other values lesser than -1 (between 0x80000000 and 0xfffffffe) seem to be just discarded during the lease registering process but are however left untouched in the daemon's DHCP OFFER reply.
Because the DI614+ doesn't require a full DHCP handshake to register a new lease but
instead will be plain satisfied with a single DISCOVER packet including a REQUESTIP option, checking for either a different mac address or CLIENTID option before creating a new lease entry, it is straightforward, fast and quite easy to fill up the scope with boggus entries in a few seconds making the DHCP service unusable for 13+ years or until the next reboot.
Note that a reboot will clear any existing lease (as well as logs) and may introduce a subsequent chaos between DHCP clients.
DLINK 614+ is used, among others, by coffee shops, therefore a successful exploitation may have very disturbing effects.
EXPLOITATION:
This bug can be triggered from both wire and wireless networks.
VENDOR:
DLINK's support staff has been contacted by May 24th but doesn't bother to reply
WORKAROUND: Static leasing
VULNERABLE:
firmware up to rev 2.30 (latest)
AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)
