[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    DLINK 704, script injection vulnerability
From:       c3rb3r <c3rb3r () sympatico ! ca>
Date:       2004-06-21 8:38:03
Message-ID: 40D69E6B.6050606 () sympatico ! ca
[Download RAW message or body]

TITLE: Security flaw in DLINK 704 - SOHO routers (http://www.dlink.com)

TYPE: Script injection over DHCP

QUOTE from DLINK (actually for the DLINK 704p):

The DI-704P is an Ethernet Broadband Router with a built-in 4-port switch. It 
also features a parallel port to share a printer on the home or office network 
and includes a print server application for Windows*. As many as four computers 
can be connected to the router’s integrated switch, using its four 10/100Mbps 
AutoMDIX Ethernet ports. The DI-704P package even includes an Ethernet cable to 
get you started. 
...
So, whether you are a college student who wants to network with friends and 
roommates, an executive working at home or in a small office, or a concerned 
parent who just wants to have more control over how your children access the 
Internet, then the D-Link Express EtherNetwork^TM  DI-704P is the 
networking solution for you, even if you don’t know anything about networking. 


DETAILS:


The DI-704 SOHO router (latest firmware rev 2.60B2) suffers a "script
injection over dhcp" vulnerability.
Using DHCP as a vector, arbitrary and malicious scripting can be
injected into the DHCP/fixed mapping and logs pages (if enabled)

Scripting sent in such a way will be executed on behalf of the unaware
administrator when he consult the web based management interface and may
lead to the complete compromising of the firewall/router giving full access to the \
administrative account.

Like the DI-614+, DLINK's DI-704 does not filter data passed to it through the DHCP
HOSTNAME option and doesn't even bother truncating this string making exploitation \
even faster in one packet. 

Among possible malicious actions, one can:

- Set snmp read/write communities of his choice and bindings them on the
external interface (not really exciting though)
- Redirect the page DHCP/fixed mapping to a malicious site presenting a fake DI-704 \
timeout/relogin page to get the admin password (clearly better)

Because the DI-704 has no wireless interface attached, risk is moderate, 
still a successful exploitation may have critical impacts. 


EXPLOITATION:

one valid DHCP REQUEST carrying a malicious HOSTNAME, that's it.


VENDOR:

DLINK's support staff has been contacted by May 24th but didn't reply on this issue
It looks like the DI-704 has been discontinued, however a quick glance into the \
firmware reveals  several references to other DLINK models as well. 
In other words it is likely that several other models are affected by this very same \
problem.  


WORKAROUND:
Use static leasing only (it fixes the hostname) otherwise just use a
real dhcpd daemon (and disable DLINK dhcpd)


VULNERABLE:

firmware up to rev 2.60B2 (latest)



AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic