14 DAY TRIAL // Almost a week ago, networking equipment vendor D-Link announced that new firmware versions for some of its most popular devices would introduce a CAPTCHA validation system. Subsequently, the people behind the SourceSec Security Research blog demonstrated how the feature could be exploited to harvest WiFi WPA passwords.
According to a D-Link press release, the new CAPTCHA system is the company's response to the threat of DNS hijacking computer trojans, which are now capable of targeting home routers. "In response to the growing number of these attacks and subsequent user security concerns, D-Link has integrated CAPTCHA – a system designed to detect whether responses are human or computer-generated – into its popular home and small office routers as an extra safety measure," the official announcement reads.
SourceSec researchers later announced that they "found a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha." Apparently, this is because the CAPTCHA-enabled authentication system is not properly integrated into some pages.
An authentication request to the post_login.xml document, after solving the CAPTCHA, passes a salted MD5 hash of the password, the CAPTCHA code entered and a unique CAPTCHA image identifier. This looks like: GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2.
However, the researchers explain that, "The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right."
Unfortunately, one of these pages allows enabling Wi-Fi Protected Setup (WPS), a system designed to simplify and automate access to the wireless network. This means that, "When WPS is activated, anyone within Wi-Fi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router," which is, obviously, a major security risk.
The bad news doesn't stop here, as activating WPS does not even require full administrative privileges on the router. Tricking a person with user-level access into viewing a maliciously crafted webpage would be enough to activate this feature.
"This vulnerability could be triggered by a simple JavaScript snippet using anti-DNS pinning, which removes the requirement for the attacker to have installed malware onto a machine inside the target network; the victim could be exploited by simply browsing to an infected Web page," the researchers warn.