D-Link router's CAPTCHA flawed, WPA passphrase retrieved

D-Link router's CAPTCHA flawed, WPA passphrase retrieved

Summary: It took only a week for the researchers at SourceSec to find a flaw in the CAPTCHA implementation of D-Link's recently introduced CAPTCHA in its routers, originally aimed to prevent DNS changing malware from automatically achieving its objective.According to SourceSec, the flawed implementation allows an attacker/malware to retrieve the router's WPA passphrase with user-level access only, and without even a properly solved CAPTCHA.

SHARE:
TOPICS: Malware, Security
19

It took only a week for the researchers at SourceSec to find a flaw in the CAPTCHA implementation of D-Link's recently introduced CAPTCHA in its routers, originally aimed to prevent DNS changing malware from automatically achieving its objective.

According to SourceSec, the flawed implementation allows an attacker/malware to retrieve the router's WPA passphrase with user-level access only, and without even a properly solved CAPTCHA. Moreover, a combination of a simple Javascript code using anti-DNS pinning doesn't even require the attacker to have malware installed on the router, instead, the attack can be triggered by visiting a web site.

Here's how the attack works:

  • Malware loads the router’s index page and glean the salt generated by the router
  • The malware uses the salt to generate a login hash for the D-Link User account (blank password by default)
  • The malware sends the hash to the post_login.xml page
  • The malware sends a request to the wifisc_add_sta.xml page, activating WPS
  • The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card

Ironically, the first router with CAPTCHA implementation can in fact be undermining the secure combination of strong passphrases and strong encryption protocols, which of course doesn't mean that these best practices are in wide circulation at places they're supposed to be.

Topics: Malware, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Any comment from Dlink yet?

    NT
    MGP2
    • re: If you have questions regarding D-Link product specifications, product

      I asked D-Link if they had any information regarding this CAPTCHA issue that was found, heres there responce:
      "If you have questions regarding D-Link product specifications, product
      implementation and compatibility or information about new D-Link product
      releases, please contact our sales department for further assistance at (800)
      326-1688 - Option 1 Monday-Friday, 6:00AM - 6:00PM, Pacific Time, excluding
      major holidays or you can email them at sales@dlink.com.

      Should you require further assistance with your D-Link products, please reply to
      this message, or call toll free at 877-453-5465.

      Thank you for networking with D-Link."
      djzoey
  • How relevent is this?

    If you know what you are doing (or just take the defaults), then the login to the router cannot happen from the internet side. This makes life a lot harder for crackers. As for WPA - USE WPA2 for christ sake! No one should consider WPA and "secure" in the same sentence.
    Roger Ramjet
    • For sure, but...

      Stories like this should be aimed at the newbies. We do have newbies reading here right? I'd certainly hope so!
      JCitizen
      • ABSOLUTELY CORRECT

        I have went 'round and 'round with this very subject(newbies)over a SPAM article here on ZDnet "experts" were slamming the article saying SPAM is a thing of the past with the new filters out now. I said B.S. there are people who get sucked into reply to spam everyday or it wouldn't continue to exist. I was referred to as a moron, newbie, told I didn't belong here as I was "obviously not an IT Professional" etc. ad nauseum...
        But the truth is newbies find this type of information very relevant and ZDnet a great source of all things technical and yes they just might find their own D-Link Router to be configured insecurely by reading this article. AND the information is extremely relevant as there are more WPA users than WPA2 users by a large factor. Did D-Link release a direct to consumer warning about switching to WPA2 because WPA is insecure? Absolutely not.. And the average PC user does not think of their router as a possible security risk.. after all they "followed the directions that came with it".
        So I want to personally congratulate you on your awareness that all types of computer users use this forum to learn new skills, security risks, and a plethora of other info!
        Timewellwasted
  • RE: Writers That Know How to Write

    Can we use industry standard terminology here? I realize if you don't have certifications or understand the technology you may not be that familiar with the terminology to use. Slang like "salt" may sound cool to whoever dreams up the slang but for the true professional out there it is merely one more term to muddy up the waters of IT. Learn the technology and you won't have to use a cool all encompassing term to describe it. After that please write about something that is relevant. More of the same with you people. Snore.
    net1tek1
    • salt is a legitimate term

      The term salt is a legitimate term and not slang. It's been around for about as long as UNIX has.

      If you'd like to know more look here:
      http://en.wikipedia.org/wiki/Salt_(cryptography)
      frank_s
      • Your link's nonexistent!

        Dunno what planet's WIKI you were looking in, but I clicked on your link and was taken to a WIKI equivalent of a 404-Page Not Found. And I did a WIKI search and it couldn't find the term anywhere in its pages.

        Please - What DOES 'salt' mean in this context?

        Yours hopefully

        Christopher Burke
        ulrichburke
        • Odd that link didn't work

          Oddly, it works here. Using Internet Explorer, I had to copy/paste to add the _(cryptography) to the end of the link as IE seemed to chop at the _ character. I could have manually typed it but copy/paste was easier.

          YMMV
          DNSB
    • Slang?

      Sheesh, salt as in a random bits added to a hash generation routine to make it harder to decrypt has been used for many years -- Unix and Novell passwords used salt, Microsoft doesn't. Without that random component, crack one and you crack them all. This leads to the use of rainbow tables to crack passwords -- with salting, tables would need to be generated for each possible salt making them pretty much useless.

      Check http://en.wikipedia.org/wiki/Salt_(cryptography) for more on this. Please note the _(cryptography) is part of the URL so you may have to type it manually.
      DNSB
    • Snore?

      Wow, instead of snoring perhaps you had better head back to school! Sounds like it has been a decade or so since you got your "true professional" certifications if you are not familiar with salt. By the way what is that slang you used? I believe it was IT....
      LMAO
      Timewellwasted
  • RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved

    What is SALT ?
    Never heard of that!!
    adityabhelke
    • Salt

      http://en.wikipedia.org/wiki/Salt_(cryptography)
      JeeR
      • Ha! Very punny! ... ;) ...(nt)

        .
        JCitizen
  • RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved

    I've always disliked Dlink's user interface for their
    routers. And how they used to require the use of the
    CD to set them up. CAPTCHA in a router? Seems like a
    stupid thing anyway. If you have strong passwords such
    a thing shouldn't be necessary...
    badkid32
  • RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved

    They appeared they didn't do any good development on this so a good cracker will be able to bypass this. D-Link did a half a$$ implementation of this and iMHO I rather have no a$$ than a half a$$.
    phatkat
  • Captcha: Good. User: Bad.

    The idea behind a CAPTCHA on the router is a damned good idea. It
    helps to prevent brute force password guessing attacks on routers.

    The big flaw I see here is that the default USER password (not ADMIN)
    is blank, yet still allows you to get in to see important information
    pages, like the wifi setup. Sure, you can't change any settings on that
    page, but the passphrase is still on that page, and a simple JS
    bookmarklet will reveal any masked passphrase in a form field. Duh.

    Being able to do it by bypassing the sessionid is just an easy way to
    automate the process.

    As other folks here have noted, preventing Internet access to your
    setup page is important. Also, disabling WPS mitigates this flaw.

    Props to d-link for putting in the CAPTCHA. But boo's for enabling an
    account with no password that can read all pages by default, and not
    checking the session id.
    dclhacker
  • RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved

    Sounds like WPS is flawed.
    AFAIK this is due to the router supporting an obviously insecure Windows feature.
    JeremyBoden
  • RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut