exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dlink624.txt

dlink624.txt
Posted Jul 1, 2004
Authored by Gregory Duchemin

The DI-624+ SOHO DLINK router suffers a script injection vulnerability that uses DHCP as a vector of attack.

tags | advisory
SHA-256 | d856de4fb4db87ed8574faf55666d66f7965ff1088c03f36522efd2cfcfa846e

dlink624.txt

Change Mirror Download
TITLE: Security flaw in DLINK 624 - SOHO routers (http://www.dlink.com)

TYPE: Script injection over DHCP

QUOTE from DLINK:

The D-Link Xtreme G DI-624 wireless router with 108Mbps^* upgrade
employs five cutting-edge hardware-based compression technologies to achieve a
significant boost in performance within the 2.4GHz frequency range.
...
The D-Link 802.11g DI-624 Xtreme G features robust security to protect the
wireless network from intruders, complying with the latest wireless networking
security protocols, including WEP encryption and Wi-Fi Protected Access (WPA)
support for both 802.1x and WPA-PSK. The DI-624 is also capable of supporting
the government-grade AES encryption and upcoming 802.11i standards.


DETAILS:

The DI-624 SOHO router (Revision B, latest firmware rev 1.28) suffers a "script
injection over dhcp" vulnerability.
Using DHCP as a vector, arbitrary and malicious scripting can be
injected into the DHCP administrative and logs pages (if enabled)

Scripting sent in such a way will be executed on behalf of the unaware
administrator next time he consult the web based management interface and
lead to the complete compromising of the
firewall/router giving full access to the administrative account.

Like the DI-614+, DLINK's DI-624 model does not filter user supplied data passed through the DHCP
HOSTNAME option.
Basically, it first truncates the string to 20 characters and displays it AS IS
in the DHCP and log pages (if logs are enabled) opening a large hole that can easily be exploited for instance:

to change the administrator's password (doesn't require his current password)
to reboot the box
to reset the box's factory settings (blank admin password/no wep)

Because the DLINK 624 is used, among others, by coffee shops, a
successful exploitation may have very serious impact.


EXPLOITATION:

Exact same procedure as described for the DI-614+ and available at:
http://securityfocus.com/archive/1/366615/2004-06-21/2004-06-27/0


VENDOR:

DLINK's support staff has been contacted on May 24th for this very same issue
affecting their DI-614+ but has yet to reply and confirm if they plan to fix it in the
upcoming firmwares.


WORKAROUND:
Use static leasing only (it fixes the hostname) otherwise just use a
real dhcpd daemon (and disable DLINK dhcpd)


VULNERABLE:

DI-624 Revision B, firmware up to 1.28 (latest)
It is *highly* probable that other models are affected too.


AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)


THANKS: To Francois Beaupres who let me mess with his baby


Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close