<<< Date Index >>>     <<< Thread Index >>>

DLINK 704, script injection vulnerability



TITLE: Security flaw in DLINK 704 - SOHO routers (http://www.dlink.com)

TYPE: Script injection over DHCP

QUOTE from DLINK (actually for the DLINK 704p):

The DI-704P is an Ethernet Broadband Router with a built-in 4-port switch. It also features a parallel port to share a printer on the home or office network and includes a print server application for Windows*. As many as four computers can be connected to the router’s integrated switch, using its four 10/100Mbps AutoMDIX Ethernet ports. The DI-704P package even includes an Ethernet cable to get you started. ... So, whether you are a college student who wants to network with friends and roommates, an executive working at home or in a small office, or a concerned parent who just wants to have more control over how your children access the Internet, then the D-Link Express EtherNetwork^TM DI-704P is the networking solution for you, even if you don’t know anything about networking.

DETAILS:


The DI-704 SOHO router (latest firmware rev 2.60B2) suffers a "script
injection over dhcp" vulnerability.
Using DHCP as a vector, arbitrary and malicious scripting can be
injected into the DHCP/fixed mapping and logs pages (if enabled)

Scripting sent in such a way will be executed on behalf of the unaware
administrator when he consult the web based management interface and may
lead to the complete compromising of the firewall/router giving full access to 
the administrative account.

Like the DI-614+, DLINK's DI-704 does not filter data passed to it through the 
DHCP
HOSTNAME option and doesn't even bother truncating this string making 
exploitation even faster
in one packet.
Among possible malicious actions, one can:

- Set snmp read/write communities of his choice and bindings them on the
external interface (not really exciting though)
- Redirect the page DHCP/fixed mapping to a malicious site presenting a fake 
DI-704 timeout/relogin page to get
the admin password (clearly better)

Because the DI-704 has no wireless interface attached, risk is moderate, still a successful exploitation may have critical impacts.

EXPLOITATION:

one valid DHCP REQUEST carrying a malicious HOSTNAME, that's it.


VENDOR:

DLINK's support staff has been contacted by May 24th but didn't reply on this 
issue
It looks like the DI-704 has been discontinued, however a quick glance into the firmware reveals several references to other DLINK models as well. In other words it is likely that several other models are affected by this very same problem.

WORKAROUND:
Use static leasing only (it fixes the hostname) otherwise just use a
real dhcpd daemon (and disable DLINK dhcpd)


VULNERABLE:

firmware up to rev 2.60B2 (latest)



AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)