• Skip to content
  • Skip to primary sidebar

Information Security Expert Blog

Dr. Ali Jahangiri

Vulnerability: D-link DIR-615 User Name and Password Security Mechanisms

October 31, 2010 By Ali Jahangiri

Overview
D-Link DIR-615 console login page contains information about the security mechanism used to encrypt the user name and passwords.

Description
D-Link DIR-615 Wireless N 300 router uses Java Script in its console login page to implement a series of security mechanisms to prevent sending the user name and password in clear text. It salts the user’s password with an 8 characters long salt string of “2bcfc20f”. Then the password is padded to 16 characters and appended to the salt characters and padded further to 63 characters. Finally, it appends a “U” to the user account and “\x01” to an admin login account and produces an MD5 hash of the user or admin account.

Code

<!– InstanceBeginEditable –>
<script src=”/md5.js”></script>
<script>
//<![CDATA[
function page_load()
{
/* Detect browsers that cannot handle XML methods. */
if (!document.getElementsByTagName || !((document.implementation && document.implementation.createDocument) || window.ActiveXObject)) {
alert (“Your web browser is too old to use this web site. Please upgrade your browser.”);
return;
}

/* For debugging on a local client. */
if (“” != “”) {
hide_all_ssi_tr();
}
document.forms.myform.password.focus();
}

function data_ready(xml)
{
var status = xml.getElementData(“login”);
if (status) {
if (status == “timeout”) {
alert(“Session timeout, please try again.”);
location.replace (‘/’);
} else if (status == “error”) {
alert(“Invalid password, please try again.”);
location.replace (‘/’);
} else {
location.replace (‘/’ + status);
}
}
}

function data_timeout()
{
/* We did not get a reply from the server, the connection is likely down. */
alert (“The network connection seems to be down. Press ‘Ok’ to try again.”);
location.reload(true);
}

function send_login()
{
/* Salt in hex, 8 chars long. */
var salt = “2bcfc20f”;

var password = document.forms.myform.password.value.substr(0,16);
document.forms.myform.password.value = “”; // Make sure password never gets sent as clear text

/* Pad the password to 16 chars. */
for (var i = password.length; i < 16; i++) {
password += String.fromCharCode(1);
}

/* Append the password to the salt and pad the result to 63 bytes. */
var input = salt + password;
for (var i = input.length; i < 63; i++) {
input += String.fromCharCode(1);
}

/* Append a ‘U’ for user login, or a ‘\x01’ for admin login. */
input += (document.forms[“myform”].username.value == ‘user’) ? ‘U’ : String.fromCharCode(1);

/* MD5 hash of the salt. */
var hash = hex_md5(input);

/* Append the MD5 hash to the salt. */
var login_hash = salt.concat(hash);

/* Send the login hash to the server. */
var xmlobj = new xmlDataObject(data_ready, data_timeout, 6000, “/post_login.xml?hash=” + login_hash);
if (!xmlobj) {
/* Browser does not support XML DOM. */
alert (“Your web browser is too old to use this web site. Please upgrade your browser.”);
return;
}
xmlobj.retrieveData();
}

//]]>
</script>
<!– InstanceEndEditable –>

Impact
The used security mechanisms have been implemented as Java Script and its prone to the end user access remotely. In addition, the attacker can intercept the communication of the user or admin account and use the described mechanisms to crack the password.

Solution
I am currently unaware of a solution to this problem. (Note: Device control panel does not support HTTPS)

Vendor Information
http://www.dlink.com/products/?pid=565

Product Details:
D-Link Wireless access point
Product Page DIR-615
Hardware Version :B2
Firmware Version: 2.25

CERT(R) Coordination Center Tracking Code: VU#944927 Date: 01/10/2010

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks

Filed Under: D-Link, Vulnerability Tagged With: D-Link, DIR-615, router, User Name and Password Security Mechanisms, Wireless N 300

Reader Interactions

Primary Sidebar

Recent Posts

  • Simple PHP Shell Script
  • MasterCard Australia: Untrusted SSL Certificate
  • How to Test Snort with Penetration Testing Tools
  • WordPress NextGEN Gallery Plugin; Directory Browsing Vulnerability
  • Koobface Gangs Investigative Report

Archives

Categories

Links

  • My Facebook Page
  • My Website
  • Privacy

RSS From LiveHacking.com

  • Nmap 7 Released!
  • Apple fixes security vulnerabilities in Safari, OS X, iOS and Apple TV
  • The OpenSSL project releases new versions of its software to squash 12 security vulnerabilities
  • FREAK vulnerability weakens secure Web sites
  • WP-Slimstat vulnerability exposes WordPress websites to SQL injection attacks
  • Google backpedals on its arbitrary vulnerability disclosure policy
  • Cross Site Scripting vulnerability found in IE 11
  • Apple updates iOS, OS X and Apple TV in monster patch release
  • Google discloses three more zero-day vulnerabilities, this time for OS X
  • Microsoft to fix Windows vulnerability that Google publicly disclosed last week

. Copyright 2007 - 2013 Information Security Expert Blog . All Rights Reserved .