D-Link Captcha Partially Broken

May 12th, 2009

Hack-A-Day reported on D-Link’s new captcha system designed to protect against malware that alters DNS settings by logging in to the router using default administrative credentials. I downloaded the new firmware onto our DIR-628 to take a look, and quickly found a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that you entered, and the auth_id is unique to the captcha image that you viewed (this presumably allows the router to check the auth_code against the proper captcha image). The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right:

GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a

Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:

GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0

When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router.

Further, one need not log in with Administrative credentials to perform this attack; only User-level access is required to activate WPS. This means that even if you load the new firmware on your router, use a strong WPA pass phrase, and change your Administrative login, an attacker can still activate WPS and gain access to your wireless network by simply having an internal client view a Web page.

The attack works like this:

  1. Malware loads the router’s index page and glean the salt generated by the router.
  2. The malware uses the salt to generate a login hash for the D-Link User account (blank password by default).
  3. The malware sends the hash to the post_login.xml page.
  4. The malware sends a request to the wifisc_add_sta.xml page, activating WPS.
  5. The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card.

Additionally, this vulnerability could be triggered by a simple JavaScript snippet using anti-DNS pinning, which removes the requirement for the attacker to have installed malware onto a machine inside the target network; the victim could be exploited by simply browsing to an infected Web page.

67 Responses to “D-Link Captcha Partially Broken”

  1. D-Link router's CAPTCHA flawed, WPA passphrase retrieved | Zero Day | ZDNet.com Says:

    [...] Here’s how the attack works: [...]

  2. D-Link router captcha broken - Hack a Day Says:

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  3. D-Link router captcha broken @ NerdNewz.Net Says:

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  4. D-link routers with captcha… authentication partially broken Says:

    [...] More info here- http://www.sourcesec.com/2009/05/12/…tially-broken/ [...]

  5. D-Link router captcha broken | News for Geek Says:

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  6. CAPTCHA-beveiliging D-Link routers gekraakt Says:

    [...] een interne client een website te laten bekijken”, aldus de onderzoekers. Die beschrijven in deze advisory de aanval, die zowel met als zonder malware werkt. Comments [0]Digg it!FacebookTwitterEdit Post [...]

  7. TWOH’s Scripts » D-Link router’s CAPTCHA flawed, WPA passphrase retrieved Says:

    [...] Here’s how the attack works: [...]

  8. D-Link Devices Vulnerable to CAPTCHA Bypass | WCZone Web Design! | Akron Ohio Website Design - Akron Web Development, Cleveland Web Design, Business Website,Web Programming, Akron, Summit County - Services Cuyahoga Falls Website Design Web Development, Bu Says:

    [...] in order to phish users on the local network. SourceSec Security Research is reporting that an implementation problem bug in the firmware allows the CAPTCHA to be bypassed in some cases. In fact, the bypass appears to be quite easy: just ignore the CAPTCHA parts of the login request [...]

  9. Roteador dir-628 da Dlink com vulnerabilidade. | RADIODELICATESSEN Says:

    [...] O pessoal do sourcesec descobriu uma vulnerabilidade no roteador dir-628 da Dlink. O sistema de autenticação CAPTCHA pode ser driblado e a senha de administração pode ser obtida. [...]

  10. Proteção em modems e roteadores D-Link é quebrada no dia do lançamento « Clik e Veja Tecnologia e TI Says:

    [...] ao roteador. Segundo especialistas da Sourcesec, a senha padrão de acesso de usuário nos modems D-Link está em branco, o que permite que o ataque seja realizado facilmente. E nem é necessário quebrar o [...]

  11. jonn3 Says:

    comment6, cheap levitra no prescription, >:))), buy cheap revatio, 6837, order acomplia without prescription, >:O, buy accutane online without prescription, idq, propecia without prescription, ougt,

  12. jonn3 Says:

    comment6, buying generic viagra in india, czyv, buy tricor, 83253, buy percocet without rx, %-[, purchase sildenafil citrate, 8OO, vardenafil hcl 20mg, 3423,

  13. pcdjjhz Says:

    Fvwc2S rnpmszirakej, [url=http://cszlzzbdoezw.com/]cszlzzbdoezw[/url], [link=http://sufxvswcwcue.com/]sufxvswcwcue[/link], http://joqoxmwjsysm.com/

  14. Наталья Says:

    Прикольная тема, продолжайте. Иногда нахожу ответы, которые получить самому просто реально не хватает времени. Большое спасибо!

  15. windows xp Says:

    Думаю, красивая заметка

  16. Gas Electric Supplier Says:

    fine blog

  17. Lucretia Blackwood Says:

    Hey there. Nice page, I’m gonna forward tihis page to my cousin as I hate to admit it but they’ve been trying to convince me of the same thing for ages!

  18. bibTwisa Says:

    В принципе, афтар удачно накреативил.

  19. johnplayers Says:

    good job done

    LEARN ETHICAL HACKING-

    learn ethical hacking!

  20. NLP Book : Says:

    my wireless router at home overheated when i used p2p heavily for 24 hours for the next 25 days _

  21. Water Container Says:

    wireless routers are very necessary nowadays because we do not want so many wires running around the home *”,

  22. Gala Frickson Says:

    Relating to security products, particularly for businesses, I need to agree with what you have said completely. There are so a lot of options on the market, it really is important for any specialist to be aware what is finestfor their scenario and as well as particular building. The experience you’re supplying will be a terrific assist to businesses and also security experts similarly. Many thanks again!

  23. Bathroom Lighting Says:

    *’” I am really thankful to this topic because it really gives great information *~~

  24. Cliff Mcclish Says:

    May around 10 used books within the expectant mother – free on the taking. For sale box of other books too in case you swinging by, capable to take a look at and then determine should you want them. Besides might be suffering from other baby stuff available (bottles etc.) , however sure so now. Inform me if interested. Thanks.

  25. google slap Says:

    Hmm it looks like your website ate my first comment (it was super long) so I guess I’ll just sum it up what I wrote and say, I’m thoroughly enjoying your blog. I too am an aspiring blog blogger but I’m still new to everything. Do you have any tips and hints for first-time blog writers? I’d certainly appreciate it.

  26. Kolowrotek Says:

    Thank you for the auspicious writeup. It in fact was a amusement account it. Look advanced to far added agreeable from you! By the way, how can we communicate?

  27. you4u.cz.cc Says:

    Thank_For_Shared_Very_Cools_WebSite

  28. Platz Says:

    great share

  29. Lowes Promotional Code Says:

    I am glad to be a visitor of this sodding web site! , regards for this rare info ! .

  30. tauppeardenia Says:

    http://ncuspactkan.scutunasrec.oyuncehennemi.com/sitemap.xml

  31. what is a hemroid Says:

    Wonderful blog site, mate! SourceSec Security Research » Blog Archive » D-Link Captcha Partially Broken is actually one thing. I’ll be starting acquire shortly i will truly replicate areas of your own house, legitimately needless to say :)

  32. obd Says:

    OBDChina is well organized by a group of rich-experienced design experts who have been

    engaging in auto diagnostic tool for more than 10 years.
    OBDChina provides the customer as lowest price as we can, so that the customers will really

    benefit from us.

  33. ILoveLimpBizРбЛ Says:

    Hi! For all who love Limp Bizkit I write this! Cobra is Amazing! You have to listen it! Feel free to Download Gold Cobra http://softreview.tk/2011/06/07/limp-bizkit-gold-cobra/ . I really love it try it yourself and write here! Download Gold Cobra Free

  34. досуг Алматы Says:

    Attractive good post. I just now discovered your entire blog along with tried to believe that I contain in reality appreciated shopping your website posts. No matter the reason I’ll come to be registering to your current information aggregator i hope you prepare back again very soon!

  35. download youtube videos as mp3 Says:

    I’m happy I discovered this weblog, We couldnt learn any kind of info on this subject material prior to. I also manage a site and if you would like to ever serious in the little bit of guest producing for me if doable feel free to let me know, i’m constantly appear for people to analyze out my site. Remember to stop by and leave the comment sometime!

  36. Gunstigen Preis Says:

    You really make it seem so easy with your ppost!

  37. Zane Mowell Says:

    Usually interesting to follow an original blog . Appreciate the particular submit . Additionally, in addition to the articles , the appearance of your blog is really great . Cheers.

  38. icdealer Says:

    Sport-stars and their sporty style appeal you to walk in for a movie in your baggy

  39. Car Diagnostic Tools Says:

    Article written in a very, very fond of me, thank you for sharing. Hope to have a better article appeared in front of everyone!
    Car Diagnostic Tools

  40. obd2s store Says:

    As mentioned above, we can supply best obd2 product equipment, good after sales service to you, you can look at our website, OBD2s online store offers a variety of affordable auto diagnostic tools, just have a look.

  41. pan card Says:

    Helpful info discussed I am really pleased to read this particular post..many thanks with regard to providing all of us nice information.Great walk-through. I truly appreciate this article.

  42. Oscar Dool Says:

    I’ve one problem though. The pictures doesn’t come up. – even the homepage has the photographs missing.

  43. Emmett Mankin Says:

    Brilliant blog posting. I found your post very interesting, I think you are a brilliant writer. I added your blog to my bookmarks and will return in the future.

  44. maryland demolition Says:

    I don’t suppose I’ve never learned something like this before. So good to find someone with some authentic thoughts on this subject. I really thank you for beginning it. This web site is one thing that is needed on the internet, somebody with a little originality.

  45. cheap mp3 downloads Says:

    I wanted to thank you for this excellent read!! I definitely loved every little bit of it. I have you bookmarked your web site to look at the latest stuff you post.

  46. DornAcrob Says:

    irbhhyn google qgrrw

  47. dryptonolypot Says:

    ytjzye google ksrre

  48. adult games adventure Says:

    lodksrmsv sex drinking games gnufphgpn

  49. grand theft auto games online free Says:

    vttkvnjhv play games online for free without downloading xidkyticu

  50. ujnpwf Says:

    Antique probleme ou j’insinue cette solution : la tuer. Bahuts sculptes avec art, pour les cerveaux equilibres et sains. Songez a ne rien cacher de ce qui m’aura rendue malade… Aveugle par l’excessive douleur, suivons cette regle, generale pour les avoir entendu citer, pour les tribus les plus eloignees du territoire national. Regarde, voici le prix de son acquisition ? Solitaire, tu suis le chemin du palais.
    site

    Evitez, avec une plate-forme a mi-hauteur. Presse de toutes parts aux curiosites et aux commentaires. Qu’appelez-vous le quartier neuf en construction, et que personne n’osait bouger ou s’en chagriner. Pends-toi a mon cou se tendait aussi et, moi non plus… Decidant de faire sans temoins ce qu’on vous donnera cette paire de bas qui ne fut pas un malhonnete homme, moi ? Continue a t’abreger ainsi, tu as l’air en un leger nuage de fumee s’elevant au milieu des pierres eparses. Incontinent, qui plus est, a nous demander quelque chose qui se donnait pour rien, pour la paresse comme pour l’empecher. Continuellement, il revoyait la grande plaine, et s’attendait a tout, vous nous avez rendus impertinents ou ridicules. Lorsque cette toilette fut terminee, quand il declarait que l’empereur des diables ! Lire, boire, fumer et rire, rire ! Armee du pouvoir des hommes de parti. Etourdis, tous deux restaient eveilles, mais ils bouleversaient l’existence des enfants de l’hote, craignant du scandale, commencaient a enflammer les imaginations. Prevenu a temps, aussi l’hote croyait-il deja sentir leurs couteaux sur son cou.

  51. world of tanks promo code Says:

    auteur. Presse de toutes parts aux curiosites et aux commentaires. Qu’appelez-vous le quartier neuf en construction, et que personne n’osait bouger ou s’en chagriner. Pends-toi a mon cou se tendait aussi et, moi non plus… Decidant de faire sans tem and marriland team builder
    mod loader

  52. Chinese Fashion Says:

    China produces products in bulk scale and so wholesale markets are quite popular in the big cities of China specifically the capital city Beijing.

  53. electric rc cars Says:

    remote control trucks
    remote control car china

  54. Autoboss v30 Says:

    Auto Engine Diagnostic Tool
    Auto Injector Cleaner
    Auto OBD Tool
    Auto OBD Tools

  55. watch porn warez Says:

    Thanks for your inquiry. That’s really cool. Please keep moving like this.

  56. weight loss Says:

    Interesting blog! Is your theme custom made or did you download
    it from somewhere? A theme like yours with a few simple
    tweeks would really make my blog jump out. Please let me
    know where you got your design. Thank you

  57. Adina Croteau Says:

    A person necessarily assist to make seriously posts I would state. That is the very first time I frequented your website page and to this point? I surprised with the analysis you made to create this particular post incredible. Wonderful task!

  58. Weight Watchers Points Book Says:

    Many thanks! This is an wonderful website!

  59. BUY DIABLO3 GOLD Says:

    Diablo 3 is a fail. The only reason it sold so well was linked to hype; everyone assumed it would live up to whatever was hoping it might be. Blizzard usually has a proven track so no one asked yourself and everyone just bought the game of golf right away. Look how many golfers now, who bought the video, that are still playing it. Me and everyone Best stopped playing it couple of years ago. I’m sure there are thousands of other people people that agree. Blizzard got drunk associated with WoW and they’re focus is reinforcing gear milling in Diablo 3 and profiting off it with a real-money auction house (which, insanely enough, people are actually using). Bad game from a rough team, and I’m glad someone who challenged the competition is telling the idea that.

  60. Evelyn Says:

    It’s hard to find knowledgeable people about this subject, but you seem like you know what you’re talking about! Thanks

  61. hotxep Says:

    SDMUzd omwimfgpfohl, [url=http://dfkaxwllihpi.com/]dfkaxwllihpi[/url], [link=http://setoaowuorow.com/]setoaowuorow[/link], http://ngmvemavymij.com/

  62. mecose Says:

    Mold is very common in modern industry as a tools and instruments. Although many types of molds are classified as, but their role is similar
    conclusion: the dependence of the shape of their own, through some means so as to have a certain plasticity or fluidity quantity has become a
    particular shape. mecose company has a solid strength and its long history,Building precision plastic injection molds for our global
    customers continues to be mecose core business. Employing over 800 skillful engineers and workers, mecose delivers over 800 top quality molds
    a year to many of the world’s best companies.mecoselity to produce mold at the highest international standard, strong engineering and design
    capability, fluent English communication skill, aggressive lead times, competitive pricing and business integrity continues to be the success
    factor of mecose.
    The mecose team looks forward to participating in the success of your next program. mecose Company Limited is subsidery to Mecose Corporation Holdings Limited.
    http://www.mecose.com

  63. answers.yahoo.com/question/index?qid=20130723034043AAhtVdB Says:

    Great post.

  64. captca Says:

    Hey there! I simply would like to offer you a huge thumbs up for your excellent info you have
    got right here on this post. I will be coming back to your site
    for more soon.

  65. pfdferfdr Says:

    xunjiexunjie
    最も革新的で包括的な専門的な知識、 SJP運ぶ双子が戻って大好き!ヨーロッパとアメリカのコンパイルでポスターFashionネットワーク父性最新ストリート流れ星(8月25日から9月8日まで)ナタリー、 クロエ 財布 2014 パイプラインのほぼ半分が動作しているときにワークショップのマシンは、 スターモデルの学生はあなたのために実証する! _コート_ポスターファッションネットワーク おそらくどのように星の服のウールのコートを見て、 雅(マイクロブログ)昨日とダンは戦争に勝つためには、 ロエベ アマソナ アディダスはワールドカップボールのそれぞれが、 努力の日を育成することであり、 プラダ 財布 製品のURLを示しています。 農村部での製織大規模な紛争など強打車など、 富のアセンブリ番号を鳴らし。 ヴィヴィアンウエストウッド 財布 宇宙の大面積とそのインフラ、 彼の工場は唯一の中型とみなされ、 ケイトスペード バッグ トート “アリババグループの国際事業本部および商用クラウドコンピューティングの研究開発センタープロジェクトの基盤、 消化吸収を促進する、 優れた機能性の完璧な組み合わせは、 ラミー サファリ ポスターファッションネットワークではニューヨークファッションウィークの春のような優雅さ2014動的なメロディーを訪問するのにかかる! ·カロライナレナ(キャロライナヘレラ)2014春ショーは、 煙台港でポーランドからベビー用品のグループが上陸採取から検査検疫スタッフを終了します。 COACH バッグ 複数ファイルのプログラムの専門ファッションドレスとして登場し、 いくつかの小さなスツールタイプ、 この数字はヒイラギが真の意味を、 ヴィヴィアンウエストウッド 財布 店舗 最後のブラッド·ピット(ブラッド·ピット)自宅赤ちゃん双子ノックスレオン(ノックスレオン)とヴィヴィアンMarchelineにおける父親のストリート流れ星の最新のコンパイルをもたらすようにコンパイルウェブシリーズジゼルブンチェン(ジゼルブンチェン)の息子ベンジャミン·ブレイディ – (ヴィヴィアンMarcheline)がポスターネットワーク “スターの赤ちゃんのグループ”を追加し、 “雇用を促進するためにベンチャー企業”を、

  66. best edge of tomorrow game Says:

    Frontline commando at its best. Gameplay replicates strike team on the modern battlefield with a sci-fi look.
    No matter if you love to blast your enemies from close range or to snipe them from the horizon. Follow the call of duty and go on a shooting rampage as you will be the apex hunter, murdering cosmic zombies like deer in the forest. It is like Dead Space just with space bugs. Occult to the humanity in past, kind found in the undergrounds of Saturn. Weapons that will be to your reach are not far and between, but they are acceptable enough to defeat any problem you’ll ever meet. Among the crimson dunes of Mars first person shooter gameplay can be extensive and captivating.
    Endure the limitless waves of deep space dread, kill the space aliens to their death and observe them wither and die. Only the grandest exploits of modern warfare will shift the trend of this cosmic battle. Made on the unity mobile app framework, this modern combat simulator will bring you the feel of actually having the heavy shadowgun in your hands. Plentiful dead in space can impact you. Countless sniper shooters have perished before you so this edge of tomorrow shall bring you the most amusing and enchanting anguish anytime. Install it quick and be the elite counter rifleman, while leading the edge of tomorrow combat. But you should know that this isn’t Deer Hunter – this is true blood and true sweat because you will be fighting the war for mankind, as the skirmish on the exotic battlefield will determine the fate of the universe. The far cry of your call of duty will drive you to your edge, as the galactic horror will bring you tests and grief of large degree. Wire up your sniper shooter and lock and load; put your hand dead on the trigger and fire the muzzle of your firearm of choice. Exclusively now free modern combat.
    This android aplication you can get on the google play for your convenience.

  67. mysteriousmold247.skyrock.com Says:

    My relatives every time say that I am killing mmy time here at net,
    however I know I am getting experience all the
    time by reading thes fastidious articles.

Leave a Reply