[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: DLINK 704, script injection vulnerability
From: c3rb3r <c3rb3r () sympatico ! ca>
Date: 2004-06-21 8:38:03
Message-ID: 40D69E6B.6050606 () sympatico ! ca
[Download RAW message or body]
TITLE: Security flaw in DLINK 704 - SOHO routers (http://www.dlink.com)
TYPE: Script injection over DHCP
QUOTE from DLINK (actually for the DLINK 704p):
The DI-704P is an Ethernet Broadband Router with a built-in 4-port switch. It
also features a parallel port to share a printer on the home or office network
and includes a print server application for Windows*. As many as four computers
can be connected to the router’s integrated switch, using its four 10/100Mbps
AutoMDIX Ethernet ports. The DI-704P package even includes an Ethernet cable to
get you started.
...
So, whether you are a college student who wants to network with friends and
roommates, an executive working at home or in a small office, or a concerned
parent who just wants to have more control over how your children access the
Internet, then the D-Link Express EtherNetwork^TM DI-704P is the
networking solution for you, even if you don’t know anything about networking.
DETAILS:
The DI-704 SOHO router (latest firmware rev 2.60B2) suffers a "script
injection over dhcp" vulnerability.
Using DHCP as a vector, arbitrary and malicious scripting can be
injected into the DHCP/fixed mapping and logs pages (if enabled)
Scripting sent in such a way will be executed on behalf of the unaware
administrator when he consult the web based management interface and may
lead to the complete compromising of the firewall/router giving full access to the \
administrative account.
Like the DI-614+, DLINK's DI-704 does not filter data passed to it through the DHCP
HOSTNAME option and doesn't even bother truncating this string making exploitation \
even faster in one packet.
Among possible malicious actions, one can:
- Set snmp read/write communities of his choice and bindings them on the
external interface (not really exciting though)
- Redirect the page DHCP/fixed mapping to a malicious site presenting a fake DI-704 \
timeout/relogin page to get the admin password (clearly better)
Because the DI-704 has no wireless interface attached, risk is moderate,
still a successful exploitation may have critical impacts.
EXPLOITATION:
one valid DHCP REQUEST carrying a malicious HOSTNAME, that's it.
VENDOR:
DLINK's support staff has been contacted by May 24th but didn't reply on this issue
It looks like the DI-704 has been discontinued, however a quick glance into the \
firmware reveals several references to other DLINK models as well.
In other words it is likely that several other models are affected by this very same \
problem.
WORKAROUND:
Use static leasing only (it fixes the hostname) otherwise just use a
real dhcpd daemon (and disable DLINK dhcpd)
VULNERABLE:
firmware up to rev 2.60B2 (latest)
AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic