Re: possible exploit: D-Link DI-804 unauthorized DHCP release from WAN

From: Roger McLaren (RMcLarenat_private)
Date: Thu Aug 22 2002 - 13:22:05 PDT

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.36] UnixWare 7.1.1 Open UNIX 8.0.0 : command line buffer overflow in ndcfg"

Previous message: David Litchfield: "[VulnWatch] Arbitrary Command Execution on Distributor SQL Server 2000 machines (#NISR22002002A)"
Maybe in reply to: Jens Jensen: "possible exploit: D-Link DI-804 unauthorized DHCP release from WAN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have seen this on my DI-804.

The problem is actually broader than just a DOS. Specifically, the
'Device Information' and 'Device Status' pages are accessible without
logging in. 

The device information page lists the device name, firmware version,
and the MAC addresses for both the LAN and WAN interface.

The Device Status page lists the connection information... ie: WAN IP,
Netmask and DNS, Allows DHCP release and renew, and displays the local
LAN DHCP log. The DHCP log lists all (not just those allocated by DHCP)
IP addresses on the LAN (It is really more of an ARP table), and their
associated MAC address. 

This is especially valuable information if you happen to have a
wireless LAN that uses MAC access control lists.

If you MUST use remote administration, I would strongly suggest
changing the HTTP port and implementing WAN filters.

Roger R. McLaren
Systems Support Analyst
Information Technology Services
Ventura County Superintendent of Schools Office




>>> Jens Jensen <jpj@netcom-usa.com> 08/22/02 12:06AM >>>


Problem: malicious user can release DHCP client on D-Link DI-804 router

interrupting network communications

I need some other D-Link DI-804 users (as well as other dlink routers)
to
see if they can reproduce this problem--
With "remote administration" mode enabled to any IP (web interface wide

open
on WAN side), It seems that a malicious user can activate DHCP
release/renew without first being authenticated as the admin
(priviledged
user)

the webpage that I can get to on the dlink built in web interface is
http://xxx.xxx.xxx.xxx/release.htm 
where xxx.xxx.xxx.xxx is the ip address of your router, specifically
for
these purposes, the wan ip address

firmware: 4.68
device: DI-804

This would be a BAD thing, since an attacker could interrupt
communications
on the router
This can be temporarily fixed by either disabling "remote
administration" 
or limiting the IP addresses allowed to remote admin.
I have submitted this to D-Link support.
I'm also wondering what other D-Link routers this could affect.

Jens Jensen
MCP, CCNA

Next message: securityat_private: "Security Update: [CSSA-2002-SCO.36] UnixWare 7.1.1 Open UNIX 8.0.0 : command line buffer overflow in ndcfg"
Previous message: David Litchfield: "[VulnWatch] Arbitrary Command Execution on Distributor SQL Server 2000 machines (#NISR22002002A)"
Maybe in reply to: Jens Jensen: "possible exploit: D-Link DI-804 unauthorized DHCP release from WAN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 13:36:24 PDT