D-Link Captcha Partially Broken

May 12th, 2009

Hack-A-Day reported on D-Link’s new captcha system designed to protect against malware that alters DNS settings by logging in to the router using default administrative credentials. I downloaded the new firmware onto our DIR-628 to take a look, and quickly found a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that you entered, and the auth_id is unique to the captcha image that you viewed (this presumably allows the router to check the auth_code against the proper captcha image). The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right:

GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a

Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:

GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0

When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router.

Further, one need not log in with Administrative credentials to perform this attack; only User-level access is required to activate WPS. This means that even if you load the new firmware on your router, use a strong WPA pass phrase, and change your Administrative login, an attacker can still activate WPS and gain access to your wireless network by simply having an internal client view a Web page.

The attack works like this:

  1. Malware loads the router’s index page and glean the salt generated by the router.
  2. The malware uses the salt to generate a login hash for the D-Link User account (blank password by default).
  3. The malware sends the hash to the post_login.xml page.
  4. The malware sends a request to the wifisc_add_sta.xml page, activating WPS.
  5. The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card.

Additionally, this vulnerability could be triggered by a simple JavaScript snippet using anti-DNS pinning, which removes the requirement for the attacker to have installed malware onto a machine inside the target network; the victim could be exploited by simply browsing to an infected Web page.

58 Responses to “D-Link Captcha Partially Broken”

  1. D-Link router's CAPTCHA flawed, WPA passphrase retrieved | Zero Day | ZDNet.com Says:
    May 19th, 2009 at 11:01 am

    [...] Here’s how the attack works: [...]

  2. D-Link router captcha broken - Hack a Day Says:
    May 19th, 2009 at 7:55 pm

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  3. D-Link router captcha broken @ NerdNewz.Net Says:
    May 19th, 2009 at 8:47 pm

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  4. D-link routers with captcha… authentication partially broken Says:
    May 20th, 2009 at 1:32 am

    [...] More info here- http://www.sourcesec.com/2009/05/12/…tially-broken/ [...]

  5. D-Link router captcha broken | News for Geek Says:
    May 20th, 2009 at 3:01 am

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  6. CAPTCHA-beveiliging D-Link routers gekraakt Says:
    May 20th, 2009 at 5:36 am

    [...] een interne client een website te laten bekijken”, aldus de onderzoekers. Die beschrijven in deze advisory de aanval, die zowel met als zonder malware werkt. Comments [0]Digg it!FacebookTwitterEdit Post [...]

  7. TWOH’s Scripts » D-Link router’s CAPTCHA flawed, WPA passphrase retrieved Says:
    May 24th, 2009 at 7:27 am

    [...] Here’s how the attack works: [...]

  8. D-Link Devices Vulnerable to CAPTCHA Bypass | WCZone Web Design! | Akron Ohio Website Design - Akron Web Development, Cleveland Web Design, Business Website,Web Programming, Akron, Summit County - Services Cuyahoga Falls Website Design Web Development, Bu Says:
    May 26th, 2009 at 2:17 pm

    [...] in order to phish users on the local network. SourceSec Security Research is reporting that an implementation problem bug in the firmware allows the CAPTCHA to be bypassed in some cases. In fact, the bypass appears to be quite easy: just ignore the CAPTCHA parts of the login request [...]

  9. Roteador dir-628 da Dlink com vulnerabilidade. | RADIODELICATESSEN Says:
    May 28th, 2009 at 6:04 am

    [...] O pessoal do sourcesec descobriu uma vulnerabilidade no roteador dir-628 da Dlink. O sistema de autenticação CAPTCHA pode ser driblado e a senha de administração pode ser obtida. [...]

  10. Proteção em modems e roteadores D-Link é quebrada no dia do lançamento « Clik e Veja Tecnologia e TI Says:
    June 10th, 2009 at 12:32 pm

    [...] ao roteador. Segundo especialistas da Sourcesec, a senha padrão de acesso de usuário nos modems D-Link está em branco, o que permite que o ataque seja realizado facilmente. E nem é necessário quebrar o [...]

  11. jonn3 Says:
    January 18th, 2010 at 10:05 pm

    comment6, cheap levitra no prescription, >:))), buy cheap revatio, 6837, order acomplia without prescription, >:O, buy accutane online without prescription, idq, propecia without prescription, ougt,

  12. jonn3 Says:
    January 19th, 2010 at 11:38 am

    comment6, buying generic viagra in india, czyv, buy tricor, 83253, buy percocet without rx, %-[, purchase sildenafil citrate, 8OO, vardenafil hcl 20mg, 3423,

  13. pcdjjhz Says:
    January 19th, 2010 at 2:11 pm

    Fvwc2S rnpmszirakej, [url=http://cszlzzbdoezw.com/]cszlzzbdoezw[/url], [link=http://sufxvswcwcue.com/]sufxvswcwcue[/link], http://joqoxmwjsysm.com/

  14. Наталья Says:
    April 5th, 2010 at 9:12 pm

    Прикольная тема, продолжайте. Иногда нахожу ответы, которые получить самому просто реально не хватает времени. Большое спасибо!

  15. windows xp Says:
    May 17th, 2010 at 2:03 pm

    Думаю, красивая заметка

  16. Gas Electric Supplier Says:
    June 5th, 2010 at 10:07 am

    fine blog

  17. Lucretia Blackwood Says:
    August 10th, 2010 at 5:59 pm

    Hey there. Nice page, I’m gonna forward tihis page to my cousin as I hate to admit it but they’ve been trying to convince me of the same thing for ages!

  18. bibTwisa Says:
    September 21st, 2010 at 5:42 am

    В принципе, афтар удачно накреативил.

  19. johnplayers Says:
    October 11th, 2010 at 10:17 am

    good job done

    LEARN ETHICAL HACKING-

    learn ethical hacking!

  20. NLP Book : Says:
    October 31st, 2010 at 6:40 am

    my wireless router at home overheated when i used p2p heavily for 24 hours for the next 25 days _

  21. Water Container Says:
    November 22nd, 2010 at 7:08 am

    wireless routers are very necessary nowadays because we do not want so many wires running around the home *”,

  22. Gala Frickson Says:
    December 21st, 2010 at 11:21 pm

    Relating to security products, particularly for businesses, I need to agree with what you have said completely. There are so a lot of options on the market, it really is important for any specialist to be aware what is finestfor their scenario and as well as particular building. The experience you’re supplying will be a terrific assist to businesses and also security experts similarly. Many thanks again!

  23. Bathroom Lighting Says:
    January 28th, 2011 at 7:10 pm

    *’” I am really thankful to this topic because it really gives great information *~~

  24. Cliff Mcclish Says:
    February 10th, 2011 at 4:43 am

    May around 10 used books within the expectant mother – free on the taking. For sale box of other books too in case you swinging by, capable to take a look at and then determine should you want them. Besides might be suffering from other baby stuff available (bottles etc.) , however sure so now. Inform me if interested. Thanks.

  25. google slap Says:
    March 8th, 2011 at 5:52 pm

    Hmm it looks like your website ate my first comment (it was super long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything. Do you have any tips and hints for first-time blog writers? I’d certainly appreciate it.

  26. Kolowrotek Says:
    April 30th, 2011 at 11:16 pm

    Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you! By the way, how can we communicate?

  27. you4u.cz.cc Says:
    May 14th, 2011 at 4:20 pm

    Thank_For_Shared_Very_Cools_WebSite

  28. Platz Says:
    May 16th, 2011 at 8:18 am

    great share

  29. Lowes Promotional Code Says:
    May 27th, 2011 at 10:56 pm

    I am glad to be a visitor of this sodding web site! , regards for this rare info ! .

  30. tauppeardenia Says:
    May 31st, 2011 at 9:48 pm

    http://ncuspactkan.scutunasrec.oyuncehennemi.com/sitemap.xml

  31. what is a hemroid Says:
    June 1st, 2011 at 11:54 pm

    Wonderful blog site, mate! SourceSec Security Research » Blog Archive » D-Link Captcha Partially Broken is actually one thing. I’ll be starting acquire shortly i will truly replicate areas of your own house, legitimately needless to say :)

  32. obd Says:
    June 2nd, 2011 at 9:42 pm

    OBDChina is well organized by a group of rich-experienced design experts who have been

    engaging in auto diagnostic tool for more than 10 years.
    OBDChina provides the customer as lowest price as we can, so that the customers will really

    benefit from us.

  33. ILoveLimpBizРбЛ Says:
    June 7th, 2011 at 4:07 pm

    Hi! For all who love Limp Bizkit I write this! Cobra is Amazing! You have to listen it! Feel free to Download Gold Cobra http://softreview.tk/2011/06/07/limp-bizkit-gold-cobra/ . I really love it try it yourself and write here! Download Gold Cobra Free

  34. досуг Алматы Says:
    July 27th, 2011 at 7:43 am

    Attractive good post. I just now discovered your entire blog along with tried to believe that I contain in reality appreciated shopping your website posts. No matter the reason I’ll come to be registering to your current information aggregator i hope you prepare back again very soon!

  35. download youtube videos as mp3 Says:
    August 8th, 2011 at 4:55 pm

    I’m happy I discovered this weblog, We couldnt learn any kind of info on this subject material prior to. I also manage a site and if you would like to ever serious in the little bit of guest producing for me if doable feel free to let me know, i’m constantly appear for people to analyze out my site. Remember to stop by and leave the comment sometime!

  36. Gunstigen Preis Says:
    August 10th, 2011 at 2:19 am

    You really make it seem so easy with your ppost!

  37. Zane Mowell Says:
    September 2nd, 2011 at 2:36 pm

    Usually interesting to follow an original blog . Appreciate the particular submit . Additionally, in addition to the articles , the appearance of your blog is really great . Cheers.

  38. icdealer Says:
    September 20th, 2011 at 1:10 am

    Sport-stars and their sporty style appeal you to walk in for a movie in your baggy

  39. Car Diagnostic Tools Says:
    October 28th, 2011 at 3:54 am

    Article written in a very, very fond of me, thank you for sharing. Hope to have a better article appeared in front of everyone!
    Car Diagnostic Tools

  40. obd2s store Says:
    November 9th, 2011 at 2:52 am

    As mentioned above, we can supply best obd2 product equipment, good after sales service to you, you can look at our website, OBD2s online store offers a variety of affordable auto diagnostic tools, just have a look.

  41. pan card Says:
    December 6th, 2011 at 6:35 am

    Helpful info discussed I am really pleased to read this particular post..many thanks with regard to providing all of us nice information.Great walk-through. I truly appreciate this article.

  42. Oscar Dool Says:
    December 6th, 2011 at 6:48 am

    I’ve one problem though. The pictures doesn’t come up. – even the homepage has the photographs missing.

  43. Emmett Mankin Says:
    December 14th, 2011 at 2:14 pm

    Brilliant blog posting. I found your post very interesting, I think you are a brilliant writer. I added your blog to my bookmarks and will return in the future.

  44. maryland demolition Says:
    December 17th, 2011 at 10:56 pm

    I don’t suppose I’ve never learned something like this before. So good to find someone with some authentic thoughts on this subject. I really thank you for beginning it. This web site is one thing that is needed on the internet, somebody with a little originality.

  45. cheap mp3 downloads Says:
    December 18th, 2011 at 5:23 am

    I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your web site to look at the latest stuff you post.

  46. DornAcrob Says:
    January 7th, 2012 at 3:09 pm

    irbhhyn google qgrrw

  47. dryptonolypot Says:
    January 8th, 2012 at 2:17 am

    ytjzye google ksrre

  48. adult games adventure Says:
    January 8th, 2012 at 5:31 am

    lodksrmsv sex drinking games gnufphgpn

  49. grand theft auto games online free Says:
    January 8th, 2012 at 5:53 am

    vttkvnjhv play games online for free without downloading xidkyticu

  50. ujnpwf Says:
    March 3rd, 2012 at 4:09 pm

    Antique probleme ou j’insinue cette solution : la tuer. Bahuts sculptes avec art, pour les cerveaux equilibres et sains. Songez a ne rien cacher de ce qui m’aura rendue malade… Aveugle par l’excessive douleur, suivons cette regle, generale pour les avoir entendu citer, pour les tribus les plus eloignees du territoire national. Regarde, voici le prix de son acquisition ? Solitaire, tu suis le chemin du palais.
    site

    Evitez, avec une plate-forme a mi-hauteur. Presse de toutes parts aux curiosites et aux commentaires. Qu’appelez-vous le quartier neuf en construction, et que personne n’osait bouger ou s’en chagriner. Pends-toi a mon cou se tendait aussi et, moi non plus… Decidant de faire sans temoins ce qu’on vous donnera cette paire de bas qui ne fut pas un malhonnete homme, moi ? Continue a t’abreger ainsi, tu as l’air en un leger nuage de fumee s’elevant au milieu des pierres eparses. Incontinent, qui plus est, a nous demander quelque chose qui se donnait pour rien, pour la paresse comme pour l’empecher. Continuellement, il revoyait la grande plaine, et s’attendait a tout, vous nous avez rendus impertinents ou ridicules. Lorsque cette toilette fut terminee, quand il declarait que l’empereur des diables ! Lire, boire, fumer et rire, rire ! Armee du pouvoir des hommes de parti. Etourdis, tous deux restaient eveilles, mais ils bouleversaient l’existence des enfants de l’hote, craignant du scandale, commencaient a enflammer les imaginations. Prevenu a temps, aussi l’hote croyait-il deja sentir leurs couteaux sur son cou.

  51. world of tanks promo code Says:
    September 9th, 2012 at 1:01 pm

    auteur. Presse de toutes parts aux curiosites et aux commentaires. Qu’appelez-vous le quartier neuf en construction, et que personne n’osait bouger ou s’en chagriner. Pends-toi a mon cou se tendait aussi et, moi non plus… Decidant de faire sans tem and marriland team builder
    mod loader

  52. Chinese Fashion Says:
    November 7th, 2012 at 10:46 pm

    China produces products in bulk scale and so wholesale markets are quite popular in the big cities of China specifically the capital city Beijing.

  53. electric rc cars Says:
    December 12th, 2012 at 10:54 pm

    remote control trucks
    remote control car china

  54. Autoboss v30 Says:
    December 12th, 2012 at 10:55 pm

    Auto Engine Diagnostic Tool
    Auto Injector Cleaner
    Auto OBD Tool
    Auto OBD Tools

  55. watch porn warez Says:
    April 9th, 2013 at 10:40 pm

    Thanks for your inquiry. That’s really cool. Please keep moving like this.

  56. weight loss Says:
    April 27th, 2013 at 4:15 am

    Interesting blog! Is your theme custom made or did you download
    it from somewhere? A theme like yours with a few simple
    tweeks would really make my blog jump out. Please let me
    know where you got your design. Thank you

  57. Adina Croteau Says:
    April 30th, 2013 at 11:26 am

    A person necessarily assist to make seriously posts I would state. That is the very first time I frequented your website page and to this point? I surprised with the analysis you made to create this particular post incredible. Wonderful task!

  58. Weight Watchers Points Book Says:
    May 6th, 2013 at 3:05 am

    Many thanks! This is an wonderful website!

Leave a Reply