Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

D-Link - Captcha Bypass

🗓️ 15 May 2009 00:00:00Reported by SourceSec Dev TeamType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 36 Views

D-Link firmware flaw allows bypass of Captcha authentication, leading to WiFi WPA passphrase extractio

Code
D-Link Captcha Bypass
-------------------------------------
D-Link released new firmware designed to protect against malware that 
alters DNS settings by logging in to the router using default administrative 
credentials. There is a flaw in the captcha authentication system that allows 
an attacker to glean your WiFi WPA pass phrase from the router with only user-level 
access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

    GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that 
you entered, and the auth_id is unique to the captcha image that you viewed 
(this presumably allows the router to check the auth_code against the proper captcha image). 
The problem is that if you leave off the auth_code and auth_id values, some pages in the 
D-Link Web interface think that you’ve properly authenticated, as long as you get 
the hash right:

    GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a

Most notably, once you’ve made the request to post_login.xml, you can activate 
WPS with the following request:

    GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0

When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and 
retrieve the WPA passphrase directly from the router.

More info on WPS et al. at http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/

# milw0rm.com [2009-05-15]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 May 2009 00:00Current
7.4High risk
Vulners AI Score7.4
d-linkfirmwarecaptchaauthenticationwifiwpa passphraseextractionvulnerabilityexploitmalwarednssettingsrouteradministrative credentialssalted md5 hashwpswps client.
36