D-Link Captcha Partially Broken

May 12th, 2009

Hack-A-Day reported on D-Link’s new captcha system designed to protect against malware that alters DNS settings by logging in to the router using default administrative credentials. I downloaded the new firmware onto our DIR-628 to take a look, and quickly found a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that you entered, and the auth_id is unique to the captcha image that you viewed (this presumably allows the router to check the auth_code against the proper captcha image). The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right:

GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a

Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:

GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0

When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router.

Further, one need not log in with Administrative credentials to perform this attack; only User-level access is required to activate WPS. This means that even if you load the new firmware on your router, use a strong WPA pass phrase, and change your Administrative login, an attacker can still activate WPS and gain access to your wireless network by simply having an internal client view a Web page.

The attack works like this:

  1. Malware loads the router’s index page and glean the salt generated by the router.
  2. The malware uses the salt to generate a login hash for the D-Link User account (blank password by default).
  3. The malware sends the hash to the post_login.xml page.
  4. The malware sends a request to the wifisc_add_sta.xml page, activating WPS.
  5. The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card.

Additionally, this vulnerability could be triggered by a simple JavaScript snippet using anti-DNS pinning, which removes the requirement for the attacker to have installed malware onto a machine inside the target network; the victim could be exploited by simply browsing to an infected Web page.

13 Responses to “D-Link Captcha Partially Broken”

  1. D-Link router's CAPTCHA flawed, WPA passphrase retrieved | Zero Day | ZDNet.com Says:
    May 19th, 2009 at 11:01 am

    [...] Here’s how the attack works: [...]

  2. D-Link router captcha broken - Hack a Day Says:
    May 19th, 2009 at 7:55 pm

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  3. D-Link router captcha broken @ NerdNewz.Net Says:
    May 19th, 2009 at 8:47 pm

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  4. D-link routers with captcha… authentication partially broken Says:
    May 20th, 2009 at 1:32 am

    [...] More info here- http://www.sourcesec.com/2009/05/12/…tially-broken/ [...]

  5. D-Link router captcha broken | News for Geek Says:
    May 20th, 2009 at 3:01 am

    [...] all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA [...]

  6. CAPTCHA-beveiliging D-Link routers gekraakt Says:
    May 20th, 2009 at 5:36 am

    [...] een interne client een website te laten bekijken”, aldus de onderzoekers. Die beschrijven in deze advisory de aanval, die zowel met als zonder malware werkt. Comments [0]Digg it!FacebookTwitterEdit Post [...]

  7. TWOH’s Scripts » D-Link router’s CAPTCHA flawed, WPA passphrase retrieved Says:
    May 24th, 2009 at 7:27 am

    [...] Here’s how the attack works: [...]

  8. D-Link Devices Vulnerable to CAPTCHA Bypass | WCZone Web Design! | Akron Ohio Website Design - Akron Web Development, Cleveland Web Design, Business Website,Web Programming, Akron, Summit County - Services Cuyahoga Falls Website Design Web Development, Bu Says:
    May 26th, 2009 at 2:17 pm

    [...] in order to phish users on the local network. SourceSec Security Research is reporting that an implementation problem bug in the firmware allows the CAPTCHA to be bypassed in some cases. In fact, the bypass appears to be quite easy: just ignore the CAPTCHA parts of the login request [...]

  9. Roteador dir-628 da Dlink com vulnerabilidade. | RADIODELICATESSEN Says:
    May 28th, 2009 at 6:04 am

    [...] O pessoal do sourcesec descobriu uma vulnerabilidade no roteador dir-628 da Dlink. O sistema de autenticação CAPTCHA pode ser driblado e a senha de administração pode ser obtida. [...]

  10. Proteção em modems e roteadores D-Link é quebrada no dia do lançamento « Clik e Veja Tecnologia e TI Says:
    June 10th, 2009 at 12:32 pm

    [...] ao roteador. Segundo especialistas da Sourcesec, a senha padrão de acesso de usuário nos modems D-Link está em branco, o que permite que o ataque seja realizado facilmente. E nem é necessário quebrar o [...]

  11. jonn3 Says:
    January 18th, 2010 at 10:05 pm

    comment6, cheap levitra no prescription, >:))), buy cheap revatio, 6837, order acomplia without prescription, >:O, buy accutane online without prescription, idq, propecia without prescription, ougt,

  12. jonn3 Says:
    January 19th, 2010 at 11:38 am

    comment6, buying generic viagra in india, czyv, buy tricor, 83253, buy percocet without rx, %-[, purchase sildenafil citrate, 8OO, vardenafil hcl 20mg, 3423,

  13. pcdjjhz Says:
    January 19th, 2010 at 2:11 pm

    Fvwc2S rnpmszirakej, [url=http://cszlzzbdoezw.com/]cszlzzbdoezw[/url], [link=http://sufxvswcwcue.com/]sufxvswcwcue[/link], http://joqoxmwjsysm.com/

Leave a Reply