D-Link routers with a firmware of 2.70 and below are vulnerable to a denial of service vulnerability providing the attacker has the ability to see the internal interface on the router. Sending a malformed URL to the syslog script will caused a DNS query. Multitudes of this query can result in a DoS and other odd forms of behavior.
802c81b31a6ec34d42defd9d16029f1790493faf92d67f06228dcf953950b333
Nessus wrote a nice little plugin for it
http://www.securityindex.net/dlink_router_overflow.nasl
--
My home network uses a small 4 port broadband Dlink router (704p) The firmware was updated one week ago
to version 2.70 from the www.D-link.com website
The following malformed URL's cause odd behavior in the router. Pointing your browser (like most routers) to the gateways internal IP address you get a web interface for administering your router.
http://192.168.0.1/syslog.htm?D=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
This URL caused the router to do a DNS query on:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@xxxx.xx.comcast.net
"@xxxx.xx.comcast.net" is the trailing end of my hostname (i replaced the real trailing host name with x's as to not give up my hometown and state! heh)
Subsequently there was a DNS response "no such name"
Enough of these malformed URLS causes the DNS server to DoS the router for a short time because a DNS response packet is much larger then a DNS query packet.
This URL also caused an error in the routers log file page, the URL
made the page look odd. This router uses CSS to display its tabs and log file (syslog.htm). Some of the HTML was visible within the CSS that were now repeating across the page. I took a screen shot and uploaded it to my webspace. Copy and paste the link below to see.
http://www.securityindex.net/router.JPG
<------------------------------------------- ------------------------------------------->
<------------------------------------------- ------------------------------------------->
<------------------------------------------- ------------------------------------------->
<------------------------------------------- ------------------------------------------->
<-------------------------------------------next------------------------------------------->
This URL also cuases problems:
http://192.168.0.1/syslog.htm?D=................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
This malformed URL caused the router to stop responding. Requesting this
url over and over will eventually render the router useless until reset.
You can still access the internet after sending this url once but the routers
configuration page does not respond until you reset the router.
If your D-Link router is set to allow remote administration then its potentially
possible for an attacker to render your router useless until it is physically
reset by unplugging it and replugging it into the wall.
-->
i sent an email to dlink containing a copy of this post. Thanx
-->
--chris
www.securityindex.net
-apex security group-
:-hello-:
george
dreifach-x
th1nk
johnblaze