TITLE: Security flaw in DLINK 704 – SOHO routers (http://www.dlink.com)
TYPE: Script injection over DHCP
DETAILS:
The DI-704 SOHO router (latest firmware rev 2.60B2) suffers a “script
injection over dhcp” vulnerability.
Using DHCP as a vector, arbitrary and malicious scripting can be
injected into the DHCP/fixed mapping and logs pages (if enabled)
Scripting sent in such a way will be executed on behalf of the unaware
administrator when he consult the web based management interface and may
lead to the complete compromising of the firewall/router giving full access to the administrative account.
Like the DI-614+, DLINK’s DI-704 does not filter data passed to it through the DHCP
HOSTNAME option and doesn’t even bother truncating this string making exploitation even faster in one packet.
Among possible malicious actions, one can:
– Set snmp read/write communities of his choice and bindings them on the
external interface (not really exciting though)
– Redirect the page DHCP/fixed mapping to a malicious site presenting a fake DI-704 timeout/relogin page to get the admin password (clearly better)
Because the DI-704 has no wireless interface attached, risk is moderate, still a successful exploitation may have critical impacts.
EXPLOITATION:
one valid DHCP REQUEST carrying a malicious HOSTNAME, that’s it.
VENDOR:
DLINK’s support staff has been contacted by May 24th but didn’t reply on this issue
It looks like the DI-704 has been discontinued, however a quick glance into the firmware reveals several references to other DLINK models as well. In other words it is likely that several other models are affected by this very same problem.
WORKAROUND:
Use static leasing only (it fixes the hostname) otherwise just use a
real dhcpd daemon (and disable DLINK dhcpd)
VULNERABLE: firmware up to rev 2.60B2 (latest)
AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca) DETAILS:
The DI-704 SOHO router (latest firmware rev 2.60B2) suffers a “script
injection over dhcp” vulnerability.
Using DHCP as a vector, arbitrary and malicious scripting can be
injected into the DHCP/fixed mapping and logs pages (if enabled)
Scripting sent in such a way will be executed on behalf of the unaware
administrator when he consult the web based management interface and may
lead to the complete compromising of the firewall/router giving full access to the administrative account.
Like the DI-614+, DLINK’s DI-704 does not filter data passed to it through the DHCP
HOSTNAME option and doesn’t even bother truncating this string making exploitation even faster in one packet.
Among possible malicious actions, one can:
– Set snmp read/write communities of his choice and bindings them on the
external interface (not really exciting though)
– Redirect the page DHCP/fixed mapping to a malicious site presenting a fake DI-704 timeout/relogin page to get the admin password (clearly better)
Because the DI-704 has no wireless interface attached, risk is moderate, still a successful exploitation may have critical impacts.
EXPLOITATION:
one valid DHCP REQUEST carrying a malicious HOSTNAME, that’s it.
VENDOR:
DLINK’s support staff has been contacted by May 24th but didn’t reply on this issue
It looks like the DI-704 has been discontinued, however a quick glance into the firmware reveals several references to other DLINK models as well. In other words it is likely that several other models are affected by this very same problem.
WORKAROUND:
Use static leasing only (it fixes the hostname) otherwise just use a
real dhcpd daemon (and disable DLINK dhcpd)
VULNERABLE: firmware up to rev 2.60B2 (latest)
