抛砖引玉第二篇 WPA P解--(D-Link 路由器漏洞)
英文能力强的翻译下,国外的无线P解已经比我们先进不少了 D-Link Captcha Partially BrokenMay 12th, 2009
Hack-A-Day reported on D-Link’s new captcha system designed to protect against malware that alters DNS settings by logging in to the router using default administrative credentials. I downloaded the new firmware onto our DIR-628 to take a look, and quickly found a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha.
When you login with the captcha enabled, the request looks like this:
GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2
The hash is a salted MD5 hash of your password, the auth_code is the captcha value that you entered, and the auth_id is unique to the captcha image that you viewed (this presumably allows the router to check the auth_code against the proper captcha image). The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right:
GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a
Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:
GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0
When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router.
Further, one need not log in with Administrative credentials to perform this attack; only User-level access is required to activate WPS. This means that even if you load the new firmware on your router, use a strong WPA pass phrase, and change your Administrative login, an attacker can still activate WPS and gain access to your wireless network by simply having an internal client view a Web page.
The attack works like this:[*]Malware loads the router’s index page and glean the salt generated by the router.[*]The malware uses the salt to generate a login hash for the D-Link User account (blank password by default).[*]The malware sends the hash to the post_login.xml page.[*]The malware sends a request to the wifisc_add_sta.xml page, activating WPS.[*]The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card.
Additionally, this vulnerability could be triggered by a simple JavaScript snippet using anti-DNS pinning, which removes the requirement for the attacker to have installed malware onto a machine inside the target network; the victim could be exploited by simply browsing to an infected Web page.
[*]13 Comments » 没想到在这里看到了 可惜偶的英语实在…… 不过咱有工具 :)
想必这就是某位高手准备在春节后公布的内容了提前看了哈哈顶…… 工具也发表了hnap0wn 英语实在:dizzy:................ Use the little to get the big. 这个方法可以试一下,不过不知道这个漏洞是不是已经堵上了 学习啦,有工具就不怕E文。 没有中文怎么看呀
页:
[1]