Date: Thu, 6 Sep 2001 19:54:06 -0400
From: Fate Research Labs <loki@fatelabs.com.>
To: [email protected]Subject: Malformed Fragmented Packets DoS Dlink Firewall/Routers
Cc: [email protected], [email protected]
------=_NextPart_000_002E_01C1370D.AF77A180
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
____
/ /\
/____/ \____
\ \ / /\
_______________ \____\ _/ \ _____________________________________
__/__ /\ \ / Fate Research Labs Security Advisory
\ \/ /\ /\/\ Networking Division
\____\/__\/ \ \
\ \ /\ \
\____\/__\/
--------------------------------------------------------------------
Details: DLink Firewall/Router Vulnerable to Malformed
Fragmented Packets
Advisory ID: F8-DLINK20010906
Issue date: 062001SEPT
Fate Division: Networking
Researcher: Jonas <jonas@fatelabs.com.>
Position: Research Scientist
Severity: Medium/High
Vendor Status: Contacted: No Response
Vendor Web Site: http://www.dlink.com
Platform: Confirmed on D-Link 704 home broadband
firewall/router.
Exploit Available: http://www.fatelabs.com
____________________________________________________________________
1. Summary
The popular home broadband sharing device Dl-704 by DLink Technologies
can easily be DoS'ed through malformed fragmented packets. Utilizing any
standard packet crafting tool for these packets, generating a large
number of identical/incorrectly fragmented IP packets causing the router
to immediately stop forwarding packets and after approx. 2 minutes will
require a reboot.
1a. Fragmentation
The DoS relies on an exploit involving IP fragmentation, which is a
process whereby IP datagrams are subdivided into smaller data packets
during transit. Fragmentation is required because every network
architecture carries data in groups called frames, and the maximum
frame size varies from network to network. When an IP datagram enters
a network whose maximum frame size is smaller than the size of the
datagram, it is split into fragments. Thereafter, the fragments
travel separately to their destination, at which point they are
re-assembled and processed.
3. Exploit
Fate Research Labs felt it would be a waste of valuable
resources to recreate the wheel. Why rewrite code that is already
available? Jolt2.c or hping2 can be downloaded from your favorite
neighborhood sploit store. These 2 tools will accomplish the
same effect.
4. Patch Details
Download new firmware. V2.56b6 or later will fix it.
http://www.dlink.com.tw/2000e/download/download.htm
The US site only holds V2.55b15.
5. Shouts!
You bitches thought Fate Labs was dead?! In the words of M1ch34L
J4cKs0N y0! "You ain't seen nuthin yet!" Shouts to ph33r,
Denatus, Soundman, Punisher, the coolio rehashed, Banned-it
and all @fate labs! "Let them hate us, provided
they fear us." Long live our reign!
6. Standard Hello To anti.security.is
A big fuck you to the arrogant bastards at anti.security.is.
You are nothing more than a gaggle of Beetlejuice elitists
trying to keep your 0day spl0it-pot from being released. Look
at the beliefs you stand for before judging the beliefs of
others. You claim that your beliefs protect the security vendors
by "eliminating the communication medium for new exploits?"
Maybe if they knew that you wanted to stop full disclosure
so you could keep using your 0day on their customers networks
without fear of it publishing on Bugtraq, you wouldn't look like
such heroes. "Save a bug?" Here's your fucking bug, its dead, we
squashed it with our 31337 0day advisory.
- Fate Research Labs
Soldiers for Full Disclosure
____
/ /_____
/ // \
/ / \ \ \
/.__/ \ \__ .\
//___\\ \ / \_____//__________________________________________
\____/ F8
------=_NextPart_000_002E_01C1370D.AF77A180
Content-Type: text/plain;
name="f8-dlink20010906.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="f8-dlink20010906.txt"
____
/ /\=20
/____/ \____ =20
\ \ / /\ =20
______________ \____\ _/ \ =
__________________________________________________
__/__ /\ \ / Fate Research Labs Security Advisory
\ \/ /\ /\/\ Networking Division
\____\/__\/ \ \ =20
\ \ /\ \ =20
\____\/__\/=20
-------------------------------------------------------------------------=
----------
=20
Details: DLink Firewall/Router Vulnerable to Malformed =
Fragmented Packets
Advisory ID: F8-DLINK20010906
Issue date: 062001SEPT
Fate Division: Networking
Researcher: Jonas <jonas@fatelabs.com.>
Position: Research Scientist
Severity: Medium/High
Vendor Status: Contacted: No Response
Vendor Web Site: http://www.dlink.com
Platform: Confirmed on D-Link 704 home broadband =
firewall/router.=20
Exploit Available: http://www.fatelabs.com=20
_________________________________________________________________________=
_________
1. Summary
The popular home broadband sharing device Dl-704 by DLink Technologies
can easily be DoS'ed through malformed fragmented packets. Utilizing any =
standard packet crafting tool for these packets, generating a large =
number of=20
identical/incorrectly fragmented IP packets causing the router to=20
immediately stop forwarding packets and after approx. 2 minutes will =
require a=20
reboot.
1a. Fragmentation
The DoS relies on an exploit involving IP fragmentation, which is a=20
process whereby IP datagrams are subdivided into smaller data packets=20
during transit. Fragmentation is required because every network=20
architecture carries data in groups called frames, and the maximum=20
frame size varies from network to network. When an IP datagram enters=20
a network whose maximum frame size is smaller than the size of the=20
datagram, it is split into fragments. Thereafter, the fragments=20
travel separately to their destination, at which point they are=20
re-assembled and processed.=20
3. Exploit
Fate Research Labs felt it would be a waste of valuable
resources to recreate the wheel. Why rewrite code that is already
available? Jolt2.c or hping2 can be downloaded from your favorite=20
neighborhood sploit store. These 2 tools will accomplish the
same effect.=20
4. Patch Details
Download new firmware. V2.56b6 or later will fix it.
http://www.dlink.com.tw/2000e/download/download.htm
The US site only holds V2.55b15.
5. Shouts!
You bitches thought Fate Labs was dead?! In the words of M1ch34L=20
J4cKs0N y0! "You ain't seen nuthin yet!" Shouts to ph33r,
Denatus, Soundman, Punisher, the coolio rehashed, my buddy Loki,=20
and all @fate labs! "Let them hate us, provided they fear us." Long
live our reign!
6. Standard Hello To anti.security.is
A big fuck you to the arrogant bastards at anti.security.is. You are=20
nothing more than a gaggle of Beetlejuice elitists trying to keep your =
0day=20
spl0it-pot from being released. Look at the beliefs you stand for before =
judging the beliefs of others. You claim that your beliefs protect the=20
security vendors by "eliminating the communication medium for new =
exploits?"=20
Maybe if they knew that you wanted to stop full disclosure so you could=20
keep using your 0day on their customers networks without fear of it=20
publishing on Bugtraq, you wouldn't look like such heroes.
"Save a bug?" Here's your fucking bug, its dead, we squashed it with our
31337 0day advisory.
- Fate Research Labs
Soldiers for Full Disclosure
____
/ /_____
/ // \
/ / \ \ \
/.__/ \ \__ .\
//___\\ \ / =
\_____//________________________________________________________
\____/ F8
------=_NextPart_000_002E_01C1370D.AF77A180--
