May 20th, 2009

A few sites have picked up on our D-Link captcha bypass post, and we’re seeing a lot of people who mis-understand the vulnerability, and the purpose of captchas in general. I’d like to address some of the comments that we’ve seen, and to clarify a few points:

[the captcha is] not really broken. It’s circumvented, but not broken.

Agreed; we’re still looking into some OCR engines that might be used to break the captcha completely. Perhaps a more fitting title would have been “D-Link Captcha Implementation Partially Broken”.

It turns out all that’s required to access the router’s setup page is the hash, so the feature provides an easy way for anyone within range to access the panel that controls all kinds of sensitive settings and contains the WPA password.

No, you cannot access the full router control panel with this vulnerability. Only a few pages (basically any XML page) honour authentication without captcha, one of which is the WPS activation page. Once WPS is activated, anyone within WiFi range can access the network, and then they can access the router control panel.

If you use a dictionary or simple alphanumerc passphrase then it can’t be brute forced unless they pass the CAPTCHA too.
Yes, it’s very annoying on web pages. But on a router page you might use once a month? It’s not such a bad idea.

Actually, if you look at the threat that the captcha is supposed to prevent, it is a terrible idea. A captcha does not provide security, it only attempts to prove that whoever performed a given HTTP request was a person. Yes, captchas may block automated attacks (assuming that the bot cannot break the captcha, which they have been known to do), but remember that the threat consists of a trojan running on the client’s PC that is used to attack the router. What’s stopping the malware from sending the image back to the attacker who can then read it and tell the trojan what it says? Yes, as shocking as it may seem, hackers are people too.

Read the rest of this entry »

May 12th, 2009

Hack-A-Day reported on D-Link’s new captcha system designed to protect against malware that alters DNS settings by logging in to the router using default administrative credentials. I downloaded the new firmware onto our DIR-628 to take a look, and quickly found a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha.

Read the rest of this entry »

May 11th, 2009

UPDATE: Unfortunately, this method of anti-DNS pinning does not work quite as we had observed in the lab. As it happens, browsers (IE and FF), if given multiple IP addresses in a DNS response, will always try a private IP address first, regardless of the order in which the IP addresses are listed in the DNS response. If all of the IP addresses in the response are private IPs, then the browser will try them in order (which is why this technique worked during our lab testing, since all of our lab IPs were non-routable). Unfortunately, this prevents the use of this attack as we had previously described. It can still be used in some circumstances, such as an internal attacker attempting to leverage IP-based ACLs, or it can be used to give an external attacker access to Web services running on the localhost (such as CUPS, or bittorrent clients). We’re leaving all of our original post below as even these limited scenarios may be useful attack vectors; in the mean time, we’re going back to the drawing board to examine more traditional anti-DNS pinning attacks.

Read the rest of this entry »

May 11th, 2009

Over the past year, a lot of vulnerabilities have been found in various home routers, and it should be noted that almost all SOHO routers are vulnerable to CSRF attacks. By combining CSRF with authentication bypass vulnerabilities or default logins, an attacker can modify practically any router setting s/he desires. However, the crux of CSRF is that while it can be used to force the browser to make requests, the attacker’s code can’t view the response from these requests thanks to the browser’s same-domain policy.

We’ve already talked about our hardware-based attacks against WiFi-Protected Setup, but even without physical access to the router, WPS can still be leveraged by an attacker to gain access to a secured wireless network. Why try to crack a 60-character WPA2 key when you can run a phishing attack and force the router to give you the key instead? It’s as simple as creating an HTML image tag.

Read the rest of this entry »

May 11th, 2009

It used to be that building a hardware back door into a router was a difficult, resource-intensive task that only the most skilled hardware hacker would dare to undertake, but thanks to a new feature prevalent to nearly all new SOHO routers, just about anyone can build such a back door.

This new feature is called WiFi-Protected Setup. WPS is a standard designed to ease the distribution of strong WPA/WPA2 encryption keys. Anyone who has tried to enter a 60-character WPA key into a Wii will immediately appreciate WPS; when you want to add a new client to your wireless network, you simply push a button on the router, push a button on the client (clients typically have “soft” buttons), and the two will negotiate an 802.11 EAP session which the router uses to securely send the network encryption key to the client.

Unfortunately, along with this ease-of-use, WPS brings a whole new threat into SOHO router networks: physical attacks. Physical tampering with a router used to mean some malicious person bringing in a laptop, plugging it into the router, and trying to brute force the router login. But now, an attacker can install a simple hardware back door which activates WPS at a specified interval. In fact, in some cases this can be done with nothing more than a stick of gum.

Read the rest of this entry »

May 10th, 2009

As you may know, we recently released our WiFinger tool for fingerprinting wireless access points. However, fingerprinting tools are only as good as their signature database, and while we have a handful of popular signatures already, we need more. So if you want to contribute to this project, one of the best ways to help is to send us pcap files of 802.11 beacon packets for access points and routers that we don’t already have in our database.

Specifically, here’s what we’ll need:

• If the access point supports WPA and/or WPS, enable both of those features. This can help us in creating more robust signatures.
• Place your wireless card in monitor mode and use Wireshark to capture the access point’s beacon packets (we only need one beacon packet, so don’t feel like you have to capture large amounts of data).
• Save the Wireshark capture and send us the pcap file along with as much information as you can about the access point (vendor, model, firmware version, hardware revision, etc).
• Send all submissions to dev [at] sourcesec.com.

community support, wifinger

May 9th, 2009

We just finished our talk at ChicagoCon, and it was awesome! We’re posting the slides up here for those of you who couldn’t make it to the con. A quick overview of our talk:

Our presentation focuses on SOHO router security, specifically, exploiting router vulnerabilities to gain direct access to the internal WiFi network without having to crack encryption keys.

We discuss various methods of router reconnaissance, including some new tools that we’ve written specifically for this purpose, how to obtain WPA keys using simple HTML img tags, and how to own the WiFi network remotely using anti-DNS pinning attacks.

We even throw in some hardware hacks, describing how to implant a hardware backdoor into a router’s WPA encryption using nothing more than a stick of gum or a simple $8 circuit.

Download the slides here!

Papers conference wifi

May 9th, 2009

These are the Wifi-Protected Setup tools that we presented at ChicagoCon.

WPScan actively sends 802.11 probe requests to access points that advertise WPS support. It then parses out the WPS Information Element in the resulting probe response and displays the results. This is a very useful fingerprinting tool since nearly all new routers have WPS enabled by default, and most vendors will actually put the exact make, model, and version of the router in the probe response!

WPSpy is a tool to simply monitor and report changes in the WPS status of and access point. This is particularly useful if you are running some of our described attacks that leverage WPS to gain access to the WLAN.

fingerprinting, wifi, wps

May 9th, 2009

Here is one of the tools we presented at our ChicagoCon talk. It passively identifies wireless access points based on matching the Information Elements in their beacon packets against a fingerprint database. It is written in Python and uses Scapy, and has been tested in Linux.

Currently we only have a handful of signatures, so if you want to contribute to this tool, here’s what you can do:

1. Get your access point and enable WPA and WPS (if supported).
2. Capture the beacon frames that your access point is broadcasting and save them to a pcap file.
3. Send us the pcap file along with as much information about the access point as you can (make, model, firmware version, hardware revision, ESSID and BSSID).

Once we get your submission we’ll generate a signature for it and update the WiFinger database file. We think this tool has a lot of great potential, so we welcome any and all submissions – if you’ve got a router, let’s put it in there!

WiFinger can be downloaded here.

fingerprinting, Tools, wifi