OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Roger McLaren (RMcLaren_at_vcss.k12.ca.us)
Date: Thu Aug 22 2002 - 15:22:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I have seen this on my DI-804.

    The problem is actually broader than just a DOS. Specifically, the
    'Device Information' and 'Device Status' pages are accessible without
    logging in.

    The device information page lists the device name, firmware version,
    and the MAC addresses for both the LAN and WAN interface.

    The Device Status page lists the connection information... ie: WAN IP,
    Netmask and DNS, Allows DHCP release and renew, and displays the local
    LAN DHCP log. The DHCP log lists all (not just those allocated by DHCP)
    IP addresses on the LAN (It is really more of an ARP table), and their
    associated MAC address.

    This is especially valuable information if you happen to have a
    wireless LAN that uses MAC access control lists.

    If you MUST use remote administration, I would strongly suggest
    changing the HTTP port and implementing WAN filters.

    Roger R. McLaren
    Systems Support Analyst
    Information Technology Services
    Ventura County Superintendent of Schools Office

    >>> Jens Jensen <jpjnetcom-usa.com> 08/22/02 12:06AM >>>

    Problem: malicious user can release DHCP client on D-Link DI-804 router

    interrupting network communications

    I need some other D-Link DI-804 users (as well as other dlink routers)
    to
    see if they can reproduce this problem--
    With "remote administration" mode enabled to any IP (web interface wide

    open
    on WAN side), It seems that a malicious user can activate DHCP
    release/renew without first being authenticated as the admin
    (priviledged
    user)

    the webpage that I can get to on the dlink built in web interface is
    http://xxx.xxx.xxx.xxx/release.htm
    where xxx.xxx.xxx.xxx is the ip address of your router, specifically
    for
    these purposes, the wan ip address

    firmware: 4.68
    device: DI-804

    This would be a BAD thing, since an attacker could interrupt
    communications
    on the router
    This can be temporarily fixed by either disabling "remote
    administration"
    or limiting the IP addresses allowed to remote admin.
    I have submitted this to D-Link support.
    I'm also wondering what other D-Link routers this could affect.

    Jens Jensen
    MCP, CCNA