DLINK 614+, script injection vulnerability

From: c3rb3r (c3rb3r_at_sympatico.ca)
Date: 06/21/04

  • Next message: liudieyu_at_umbrella.name: "IE/0DAY -> Insider Prototype"
    Date: Mon, 21 Jun 2004 00:39:18 -0700
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
     
    TITLE: Security flaw in DLINK 614+ - SOHO routers (http://www.dlink.com)

    TYPE: Script injection over DHCP

    QUOTE from DLINK:

    The AirPlus DI-614+ combines the latest advancements in 802.11b
    silicon chip
    design from Texas Instruments, utilizing their patented Digital Signal
    ProcessingTM technology, and D-Link?s own robust firewall security
    features.
    ...
    A simple yet intelligent, web-based setup wizard makes the DI-614+
    easy for any
    user to quickly and securely connect computers to share a high-speed
    Internet
    connection, files, resources, games or just to communicate. An
    integrated 4-port
    switch allows direct connection of up to four computers. Several wireless
    clients can also securely connect to the network using 64, 128, or
    256-bit
    encryption.
    ...
    The D-Link AirPlus DI-614+ is the ideal networking solution for small
    offices,
    home offices, schools, coffee shops and other small businesses that
    cater to the
    public.

    DETAILS:

    The DI-614+ SOHO router (latest firmware rev 2.30) suffers a "script
    injection over dhcp" vulnerability.
    Using DHCP as a vector, arbitrary and malicious scripting can be
    injected into the DHCP administrative and logs pages (if enabled)

    Scripting sent in such a way will be executed on behalf of the unaware
    administrator when he consult the web based management interface and
    lead to the complete compromising of the
    firewall/router giving full access to the administrative account.

    The DI-614+ does not filter user supplied data passed through the DHCP
    HOSTNAME option.
    Basically, it first truncates the string to 20 characters and displays
    it AS IS in the DHCP and log pages
    opening a large hole that can easily be exploited for instance:
    to change the administrator password (doesn't require his current
    password), to reboot the box, to reset the box's factory settings.

    Because the DLINK 614+ is used, among others, by coffee shops, a
    successful exploitation may have very serious impact.

    EXPLOITATION:

    As an example, one can inject a script designed to force the
    administrator into restoring the box default settings
    using this nasty little script:

    <iframe height=0 width=0 src='restore.cgi'>

    where a call to restore.cgi indeed restore the box factory defaults.

    problem #1:

    the DI-614+ will truncate this code into:

    <iframe height=0 wid ** CGI ADDED STUFF **

    20 characters is obviously not enough to do something useful here.
    Splitting this script into 3 parts, sending each of them in a
    different DHCPREQUEST along
    with a different CLIENTID option or Mac address will create 3 new
    differents entries in the DHCP admin page.
    something like:

    <iframe height=0 wid** CGI ADDED STUFF **
    th=0 src='restore.cgi'** CGI ADDED STUFF **
    | ** CGI ADDED STUFF **

    problem #2:

    the result is still bogus from a browser perspective, because of the
    other tags (noted above as CGI ADDED STUFF) inserted between
    each new entry.
    However a dirty trick allows to circumvent this problem by finishing
    each fragment with an id option and doing so, quoting the ** CGI added
    stuff **.
    like this (this time in four packets):

    <iframe id='**CGI ADDED STUFF**
    ' height=0 id='**CGI ADDED STUFF**
    ' width=0 id='**CGI ADDED STUFF**
    ' src='restore.cgi'>

    Result is quite awful for a human but also readable for most browsers,
    afterwhat, next time the site administrator opens the DHCP page,
    he will automaticaly, and without notice, restores the box default
    password (blank), disable wireless encryption, etc...
    Finally X has to connect to 192.168.0.1 (default address), and voila !
    he is administrator.

    This vulnerability can be exploited from both wire and wireless networks.
    The solution is simply to filter the HOSTNAME DHCP option supplied by
    users by escaping html meta-characters

    VENDOR:

    DLINK's support staff has been contacted by May 24th but didn't reply
    to my questions
    No idea if a new firmware will be made available soon and even if they
    are currently working on it
    It looks like they just don't care too much about security.

    WORKAROUND:
    Use static leasing only (it fixes the hostname) otherwise just use a
    real dhcpd daemon (and disable DLINK dhcpd)

    VULNERABLE:

    firmware up to rev 2.30 (latest)

    AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
     
    iD8DBQFA1pCm9K2fGbOmSdYRAvc4AJ4gT9EItfhuZMeVAzUaI1hT+3fIYQCgwKHI
    UCcDdfB/Un1DAsxOY6MLmtY=
    =plei
    -----END PGP SIGNATURE-----


  • Next message: liudieyu_at_umbrella.name: "IE/0DAY -> Insider Prototype"

    Relevant Pages

    • Script injection in DNSONE appliance
      ... TYPE: Script injection over DHCP ... The hardened appliance design and intuitive graphical user interface ... to fool the site administrator ...
      (Bugtraq)
    • Re: remote ip configuration
      ... > I'm trying to write a script that would allow me to completely control Local ... > configuration on the target workstation (it can be seen from its Local Area ... I use this to set DHCP and obtain DNS servers. ...
      (microsoft.public.scripting.wsh)
    • Re: Change computer dns to automatic
      ... you can use the script below to change all IP-settings to DHCP on the ... Dim wmiRoot, wmiQuery ... I am using DHCP for my ... >I am looking for a way to change all the dns configuration on all the XP ...
      (microsoft.public.windows.server.scripting)
    • Re: Enable DHCP using GP...?
      ... You can assign a startup script via GPO to the computer objects that will ... netsh interface ip set WINS "Local Area Connection" dhcp ...
      (microsoft.public.win2000.group_policy)
    • Re: DHCP and VBScripting
      ... I just tried to run my script on a mchine after installing the DHCP COm ... after the install, fo some reason it doesn't do this as part of the ... strText = objExec.StdOut.ReadLine ...
      (microsoft.public.scripting.vbscript)