TITLE: Security flaw in DLINK 614+ - SOHO routers (http://www.dlink.com)
TYPE: Script injection over DHCP
QUOTE from DLINK:
The AirPlus DI-614+ combines the latest advancements in 802.11b silicon chip design from Texas Instruments, utilizing their patented Digital Signal ProcessingTM technology, and D-Link?s own robust firewall security features. ... A simple yet intelligent, web-based setup wizard makes the DI-614+ easy for any user to quickly and securely connect computers to share a high-speed Internet connection, files, resources, games or just to communicate. An integrated 4-port switch allows direct connection of up to four computers. Several wireless clients can also securely connect to the network using 64, 128, or 256-bit encryption. ... The D-Link AirPlus DI-614+ is the ideal networking solution for small offices, home offices, schools, coffee shops and other small businesses that cater to the public.
DETAILS:
The DI-614+ SOHO router (latest firmware rev 2.30) suffers a "script injection over dhcp" vulnerability. Using DHCP as a vector, arbitrary and malicious scripting can be injected into the DHCP administrative and logs pages (if enabled)
Scripting sent in such a way will be executed on behalf of the unaware administrator when he consult the web based management interface and lead to the complete compromising of the firewall/router giving full access to the administrative account.
The DI-614+ does not filter user supplied data passed through the DHCP HOSTNAME option. Basically, it first truncates the string to 20 characters and displays it AS IS in the DHCP and log pages opening a large hole that can easily be exploited for instance: to change the administrator password (doesn't require his current password), to reboot the box, to reset the box's factory settings.
Because the DLINK 614+ is used, among others, by coffee shops, a successful exploitation may have very serious impact.
EXPLOITATION:
As an example, one can inject a script designed to force the administrator into restoring the box default settings using this nasty little script:
<iframe height=0 width=0 src='restore.cgi'>
where a call to restore.cgi indeed restore the box factory defaults.
problem #1:
the DI-614+ will truncate this code into:
<iframe height=0 wid ** CGI ADDED STUFF **
20 characters is obviously not enough to do something useful here. Splitting this script into 3 parts, sending each of them in a different DHCPREQUEST along with a different CLIENTID option or Mac address will create 3 new differents entries in the DHCP admin page. something like:
the result is still bogus from a browser perspective, because of the other tags (noted above as CGI ADDED STUFF) inserted between each new entry. However a dirty trick allows to circumvent this problem by finishing each fragment with an id option and doing so, quoting the ** CGI added stuff **. like this (this time in four packets):
Result is quite awful for a human but also readable for most browsers, afterwhat, next time the site administrator opens the DHCP page, he will automaticaly, and without notice, restores the box default password (blank), disable wireless encryption, etc... Finally X has to connect to 192.168.0.1 (default address), and voila ! he is administrator.
This vulnerability can be exploited from both wire and wireless networks. The solution is simply to filter the HOSTNAME DHCP option supplied by users by escaping html meta-characters
VENDOR:
DLINK's support staff has been contacted by May 24th but didn't reply to my questions No idea if a new firmware will be made available soon and even if they are currently working on it It looks like they just don't care too much about security.
WORKAROUND: Use static leasing only (it fixes the hostname) otherwise just use a real dhcpd daemon (and disable DLINK dhcpd)
TITLE: Security flaw in DLINK 624 - SOHO routers (http://www.dlink.com)
TYPE: Script injection over DHCP
QUOTE from DLINK:
The D-Link Xtreme G DI-624 wireless router with 108Mbps^* upgrade employs five cutting-edge hardware-based compression technologies to achieve a significant boost in performance within the 2.4GHz frequency range. ... The D-Link 802.11g DI-624 Xtreme G features robust security to protect the wireless network from intruders, complying with the latest wireless networking security protocols, including WEP encryption and Wi-Fi Protected Access (WPA) support for both 802.1x and WPA-PSK. The DI-624 is also capable of supporting the government-grade AES encryption and upcoming 802.11i standards.
DETAILS:
The DI-624 SOHO router (Revision B, latest firmware rev 1.28) suffers a "script injection over dhcp" vulnerability. Using DHCP as a vector, arbitrary and malicious scripting can be injected into the DHCP administrative and logs pages (if enabled)
Scripting sent in such a way will be executed on behalf of the unaware administrator next time he consult the web based management interface and lead to the complete compromising of the firewall/router giving full access to the administrative account.
Like the DI-614+, DLINK's DI-624 model does not filter user supplied data passed through the DHCP HOSTNAME option. Basically, it first truncates the string to 20 characters and displays it AS IS in the DHCP and log pages (if logs are enabled) opening a large hole that can easily be exploited for instance:
to change the administrator's password (doesn't require his current password) to reboot the box to reset the box's factory settings (blank admin password/no wep)
Because the DLINK 624 is used, among others, by coffee shops, a successful exploitation may have very serious impact.
DLINK's support staff has been contacted on May 24th for this very same issue affecting their DI-614+ but has yet to reply and confirm if they plan to fix it in the upcoming firmwares.
WORKAROUND: Use static leasing only (it fixes the hostname) otherwise just use a real dhcpd daemon (and disable DLINK dhcpd)
VULNERABLE:
DI-624 Revision B, firmware up to 1.28 (latest) It is *highly* probable that other models are affected too.
