[NEWS] D-Link DIR-100 Long URL Filter Evasion



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



D-Link DIR-100 Long URL Filter Evasion
------------------------------------------------------------------------


SUMMARY

D-Link
<http://www.dlink.de/?go=gNTyP9CgrdFOIC4AStFCF834mptYKO9ZTdvhLPG3yV3oV492gqltbNlwaaFp6DQoHDrpxC5H+40AAdvl> DIR-100 is "a small and cost-effective router and firewall device for small offices and home users". Marc Ruef at scip AG found a way to evade URL filters of the D-Link DIR-100 web proxy that are meant to prevent access to certain web sites.

DETAILS

Vulnerable Systems:
* D-Link DIR-100 firmware versions up to version 1.12

By adding a very long string to the URL it is possible to access web
resources even if their access is has been forbidden by the DIR-100's URL
filtering mechanism.

Exploit:
It is possible to exploit the vulnerability with a common web browser by
using a long URL (approx. 1300 characters). You can expand the length of
the URL by adding a non-used HTTP get request parameter. Example url:
http://www.scip.ch/?foo=aaa(...)

A video illustrating this issue is available at the following URL:
<http://de.youtube.com/watch?v=WTzPn37XNl4>
http://de.youtube.com/watch?v=WTzPn37XNl4

The Attack Tool Kit ( <http://www.computec.ch/projekte/atk/> ATK) is able
to exploit this vulnerability with the following generic ASL code (expand
the long URL request):
open|send GET http://www.scip.ch/?foo=aaa(...)
HTTP/1.0\n\n|sleep|close|pattern_not_exists *This URL is <font
color=red>blocked</font> by administrator !*

Impact:
With this vulnerability users are able to access forbidden web resources
without being filtered by the integrated web proxy service.

Solution:
We have informed D-Link on an early stage. Our technical requests were not
answered nor confirmed. Therefore, not official statement, patch or
upgrade is available.

We suggest the use of another device for filtering forbidden web resources
successfully.

Vendor response:
D-Link has been informed first via the unhandy web form at
<http://www.dlink.com> http://www.dlink.com (no public mail address for
such cases could be found). The first responses claimed that the problem
must be within a wrong configuration setting. Further discussions were
initiated.

The support was not able to understand the problem. Not even after several
step-by-step guides and examples. They always suggest that you upgrade to
the latest firmware and they could not verify the problem. Therefore, no
official solution, workaround or patch is available.


ADDITIONAL INFORMATION

The information has been provided by <mailto:maru@xxxxxxx> Marc Ruef.
The original article can be found at:
<http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808>
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3808



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] D-Link DWL-G132 Wireless Driver Beacon Rates Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... D-Link DWL-G132 Wireless Driver Beacon Rates Overflow ... A5AGU.SYS that is vulnerable to a stack-based buffer overflow. ...
    (Securiteam)
  • [NEWS] D-Link Fragmented UDP Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... D-Link Fragmented UDP Denial of Service Vulnerability ... D-Link DI-604 Ethernet Broadband Router ... All packets must have the same Identification Number in the IP Header. ...
    (Securiteam)
  • [NEWS] D-Link Router UPNP Stack Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote stack overflow exists in a range of wired and wireless D-Link ... This vulnerability allows an attacker to execute privileged code ...
    (Securiteam)
  • [NEWS] D-Link DWL-2100ap Information Disclosure
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... D-Link DWL-2100ap Information Disclosure ... 17/02/2006 - No response. ...
    (Securiteam)
  • [NEWS] D-Link DSA-3100 Cross-Site Scripting
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... D-Link DSA-3100 Cross-Site Scripting ... D-Link DSA-3100 Airspot Gateway is vulnerable to a security vulnerability ...
    (Securiteam)