header-logo
Suggest Exploit
vendor:
Router
by:
milw0rm.com
7,5
CVSS
HIGH
Captcha Authentication System Bypass
287
CWE
Product Name: Router
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: None
CPE: None
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2009

D-Link Captcha Bypass

D-Link released new firmware designed to protect against malware that alters DNS settings by logging in to the router using default administrative credentials. There is a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha. When you login with the captcha enabled, the request looks like this: GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2. The hash is a salted MD5 hash of your password, the auth_code is the captcha value that you entered, and the auth_id is unique to the captcha image that you viewed (this presumably allows the router to check the auth_code against the proper captcha image). The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right: GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a. Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request: GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0. When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router.

Mitigation:

Ensure that the captcha authentication system is properly configured and that the auth_code and auth_id values are properly checked before allowing access to the router.
Source

Exploit-DB raw data:

D-Link Captcha Bypass
-------------------------------------
D-Link released new firmware designed to protect against malware that 
alters DNS settings by logging in to the router using default administrative 
credentials. There is a flaw in the captcha authentication system that allows 
an attacker to glean your WiFi WPA pass phrase from the router with only user-level 
access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

    GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that 
you entered, and the auth_id is unique to the captcha image that you viewed 
(this presumably allows the router to check the auth_code against the proper captcha image). 
The problem is that if you leave off the auth_code and auth_id values, some pages in the 
D-Link Web interface think that you’ve properly authenticated, as long as you get 
the hash right:

    GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a

Most notably, once you’ve made the request to post_login.xml, you can activate 
WPS with the following request:

    GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0

When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and 
retrieve the WPA passphrase directly from the router.

More info on WPS et al. at http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/

# milw0rm.com [2009-05-15]

Navigation

Suggest Exploit

Services By CQR