May 19th, 2009

D-Link router's CAPTCHA flawed, WPA passphrase retrieved

Posted by Dancho Danchev @ 9:01 am

Categories: Browsers, Complex Attacks, Exploit code, Hackers, Malware, Passwords, Pen testing, Wi-Fi security

Tags: WPA, D-Link Systems, CAPTCHA, Passphrase, Router, Malware, Routers & Switches, Spyware, Adware & Malware, Cyberthreats, Dancho Danchev

It took only a week for the researchers at SourceSec to find a flaw in the CAPTCHA implementation of D-Link’s recently introduced CAPTCHA in its routers, originally aimed to prevent DNS changing malware from automatically achieving its objective.

According to SourceSec, the flawed implementation allows an attacker/malware to retrieve the router’s WPA passphrase with user-level access only, and without even a properly solved CAPTCHA. Moreover, a combination of a simple Javascript code using anti-DNS pinning doesn’t even require the attacker to have malware installed on the router, instead, the attack can be triggered by visiting a web site.

Here’s how the attack works:

• Malware loads the router’s index page and glean the salt generated by the router
• The malware uses the salt to generate a login hash for the D-Link User account (blank password by default)
• The malware sends the hash to the post_login.xml page
• The malware sends a request to the wifisc_add_sta.xml page, activating WPS
• The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card

Ironically, the first router with CAPTCHA implementation can in fact be undermining the secure combination of strong passphrases and strong encryption protocols, which of course doesn’t mean that these best practices are in wide circulation at places they’re supposed to be.