D-Link AirPlus DI-614+ and DI-604 DHCP Server Flooding Denial

Discussion in 'Windows Desktop Systems' started by tdinc, Jul 2, 2004.

  1. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    The D-Link DI-614+ and DI-604 are reported susceptible to a denial of service vulnerability in their DHCP service.

    By flooding the DHCP service with valid DHCP requests, the device will reportedly consume all available memory and eventually reboot.

    An attacker may be able to deny service to legitimate users of an affected device by repeatedly causing the device to reboot.

    The DI-614+ with firmware revision 2.30, and the DI-604 with unknown firmware were reported vulnerable.

    Reportedly, firmware revision 3.41 has been released for the DI-614+ Revision B device. Neither the Revision A device (with two antennas), nor the DI-604 device, have new firmware versions to resolve this issue.

    Please contact D-Link for further information.



    | The DI614+ SOHO router (latest firmware rev 2.30) will automaticaly
    | reboot when flooded with valid DHCP REQUEST packets built with
    | forged source mac addresses or unique CLIENTID and sent without any
    | REQUESTEIP option. Upon reception of this kind of requests, DLINK's
    | DI614+ normally behaves by checking if a lease is available and
    | then reply by offering an ip address along with other network
    | settings as configured through the web base interface. However if
    | such packets are sent at a good enough rate, the DLINK box will be
    | left in an unstable state immediately followed by a system reboot.
    | Timing is quite important here and make me thinking that too much
    | simultaneous requests force the SOHO router to eventually allocate
    | too much memory and thus to reboot. It is actually hard to know
    | with precision where the problem actually lives since no sources
    | are made available for public.
    |
    | Note that a reboot will clear any existing lease (as well as logs)
    | and may introduce a subsequent chaos between DHCP clients. Also
    | note that only few seconds are necessary to DOS the box this way,
    | even less time than needed by the system to reboot. So it is a
    | condition of permanent denial of service.
    |
    | DLINK 614+ is used, among others, by coffee shops, therefore a
    | successful exploitation may have very disturbing effects.
    |
    |
    | EXPLOITATION:
    |
    | This bug will NOT be triggered if a REQUESTIP DHCP option is sent
    | along with the request or if no ip address is available for dynamic
    | lease at the time of the attack.
    |
    | Also for a successful exploitation, packets must be sent at a high
    | enough rate (ie: 50 packets/s is working)
    |
    |
    | VENDOR:
    |
    | DLINK's support staff has been contacted but doesn't
    | bother to reply
    |
    |
    | WORKAROUND:
    |
    | Use static leasing only and/or disable DLINK's DHCP service
    |
    |
    | VULNERABLE:
    |
    | firmware up to rev 2.30 (latest)