ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

D-Link router's CAPTCHA flawed, WPA passphrase retrieved

By | May 19, 2009, 9:01am PDT

Summary: It took only a week for the researchers at SourceSec to find a flaw in the CAPTCHA implementation of D-Link’s recently introduced CAPTCHA in its routers, originally aimed to prevent DNS changing malware from automatically achieving its objective. According to SourceSec, the flawed implementation allows an attacker/malware to retrieve the router’s WPA passphrase with user-level access [...]

It took only a week for the researchers at SourceSec to find a flaw in the CAPTCHA implementation of D-Link’s recently introduced CAPTCHA in its routers, originally aimed to prevent DNS changing malware from automatically achieving its objective.

According to SourceSec, the flawed implementation allows an attacker/malware to retrieve the router’s WPA passphrase with user-level access only, and without even a properly solved CAPTCHA. Moreover, a combination of a simple Javascript code using anti-DNS pinning doesn’t even require the attacker to have malware installed on the router, instead, the attack can be triggered by visiting a web site.

Here’s how the attack works:

  • Malware loads the router’s index page and glean the salt generated by the router
  • The malware uses the salt to generate a login hash for the D-Link User account (blank password by default)
  • The malware sends the hash to the post_login.xml page
  • The malware sends a request to the wifisc_add_sta.xml page, activating WPS
  • The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card

Ironically, the first router with CAPTCHA implementation can in fact be undermining the secure combination of strong passphrases and strong encryption protocols, which of course doesn’t mean that these best practices are in wide circulation at places they’re supposed to be.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

WPA, D-Link Systems, CAPTCHA, Passphrase, Router, Malware, Routers & Switches, Spyware, Adware & Malware, Cyberthreats, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
19
Comments
Add Your Opinion

Join the conversation!

Just In

RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat
View in thread
0 Votes
+ -
Any comment from Dlink yet?
MGP2 19th May 2009
NT
0 Votes
+ -
re: If you have questions regarding D-Link product specifications, product
djzoey 21st May 2009
I asked D-Link if they had any information regarding this CAPTCHA issue that was found, heres there responce:
"If you have questions regarding D-Link product specifications, product
implementation and compatibility or information about new D-Link product
releases, please contact our sales department for further assistance at (800)
326-1688 - Option 1 Monday-Friday, 6:00AM - 6:00PM, Pacific Time, excluding
major holidays or you can email them at sales@dlink.com.

Should you require further assistance with your D-Link products, please reply to
this message, or call toll free at 877-453-5465.

Thank you for networking with D-Link."
0 Votes
+ -
How relevent is this?
Roger Ramjet 19th May 2009
If you know what you are doing (or just take the defaults), then the login to the router cannot happen from the internet side. This makes life a lot harder for crackers. As for WPA - USE WPA2 for christ sake! No one should consider WPA and "secure" in the same sentence.
0 Votes
+ -
For sure, but...
JCitizen 20th May 2009
Stories like this should be aimed at the newbies. We do have newbies reading here right? I'd certainly hope so!
0 Votes
+ -
ABSOLUTELY CORRECT
Timewellwasted 25th May 2009
I have went 'round and 'round with this very subject(newbies)over a SPAM article here on ZDnet "experts" were slamming the article saying SPAM is a thing of the past with the new filters out now. I said B.S. there are people who get sucked into reply to spam everyday or it wouldn't continue to exist. I was referred to as a moron, newbie, told I didn't belong here as I was "obviously not an IT Professional" etc. ad nauseum...
But the truth is newbies find this type of information very relevant and ZDnet a great source of all things technical and yes they just might find their own D-Link Router to be configured insecurely by reading this article. AND the information is extremely relevant as there are more WPA users than WPA2 users by a large factor. Did D-Link release a direct to consumer warning about switching to WPA2 because WPA is insecure? Absolutely not.. And the average PC user does not think of their router as a possible security risk.. after all they "followed the directions that came with it".
So I want to personally congratulate you on your awareness that all types of computer users use this forum to learn new skills, security risks, and a plethora of other info!
0 Votes
+ -
RE: Writers That Know How to Write
ken.bld@... Updated - 20th May 2009
Can we use industry standard terminology here? I realize if you don't have certifications or understand the technology you may not be that familiar with the terminology to use. Slang like "salt" may sound cool to whoever dreams up the slang but for the true professional out there it is merely one more term to muddy up the waters of IT. Learn the technology and you won't have to use a cool all encompassing term to describe it. After that please write about something that is relevant. More of the same with you people. Snore.
0 Votes
+ -
salt is a legitimate term
frank_s Updated - 25th May 2009
The term salt is a legitimate term and not slang. It's been around for about as long as UNIX has.

If you'd like to know more look here:
http://en.wikipedia.org/wiki/Salt_(cryptography)
0 Votes
+ -
Your link's nonexistent!
ulrichburke@... 20th May 2009
Dunno what planet's WIKI you were looking in, but I clicked on your link and was taken to a WIKI equivalent of a 404-Page Not Found. And I did a WIKI search and it couldn't find the term anywhere in its pages.

Please - What DOES 'salt' mean in this context?

Yours hopefully

Christopher Burke
0 Votes
+ -
Odd that link didn't work
DNSB 21st May 2009
Oddly, it works here. Using Internet Explorer, I had to copy/paste to add the _(cryptography) to the end of the link as IE seemed to chop at the _ character. I could have manually typed it but copy/paste was easier.

YMMV
0 Votes
+ -
Slang?
DNSB Updated - 21st May 2009
Sheesh, salt as in a random bits added to a hash generation routine to make it harder to decrypt has been used for many years -- Unix and Novell passwords used salt, Microsoft doesn't. Without that random component, crack one and you crack them all. This leads to the use of rainbow tables to crack passwords -- with salting, tables would need to be generated for each possible salt making them pretty much useless.

Check http://en.wikipedia.org/wiki/Salt_(cryptography) for more on this. Please note the _(cryptography) is part of the URL so you may have to type it manually.
0 Votes
+ -
Snore?
Timewellwasted 25th May 2009
Wow, instead of snoring perhaps you had better head back to school! Sounds like it has been a decade or so since you got your "true professional" certifications if you are not familiar with salt. By the way what is that slang you used? I believe it was IT....
LMAO
0 Votes
+ -
RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved
adityabhelke 20th May 2009
What is SALT ?
Never heard of that!!
0 Votes
+ -
Salt
JeeR 20th May 2009
http://en.wikipedia.org/wiki/Salt_(cryptography)
0 Votes
+ -
Ha! Very punny! ... ...(nt)
JCitizen 20th May 2009
.
0 Votes
+ -
RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved
badkid32 20th May 2009
I've always disliked Dlink's user interface for their
routers. And how they used to require the use of the
CD to set them up. CAPTCHA in a router? Seems like a
stupid thing anyway. If you have strong passwords such
a thing shouldn't be necessary...
0 Votes
+ -
RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved
phatkat 20th May 2009
They appeared they didn't do any good development on this so a good cracker will be able to bypass this. D-Link did a half a$$ implementation of this and iMHO I rather have no a$$ than a half a$$.
0 Votes
+ -
Captcha: Good. User: Bad.
dclhacker 24th May 2009
The idea behind a CAPTCHA on the router is a damned good idea. It
helps to prevent brute force password guessing attacks on routers.

The big flaw I see here is that the default USER password (not ADMIN)
is blank, yet still allows you to get in to see important information
pages, like the wifi setup. Sure, you can't change any settings on that
page, but the passphrase is still on that page, and a simple JS
bookmarklet will reveal any masked passphrase in a form field. Duh.

Being able to do it by bypassing the sessionid is just an easy way to
automate the process.

As other folks here have noted, preventing Internet access to your
setup page is important. Also, disabling WPS mitigates this flaw.

Props to d-link for putting in the CAPTCHA. But boo's for enabling an
account with no password that can read all pages by default, and not
checking the session id.
0 Votes
+ -
RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved
JeremyBoden 25th May 2009
Sounds like WPS is flawed.
AFAIK this is due to the router supporting an obviously insecure Windows feature.
0 Votes
+ -
RE: D-Link router's CAPTCHA flawed, WPA passphrase retrieved
birumut Updated - 2nd May 2011
Great!!! thanks for sharing this information to us!
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix