Overview
D-Link DIR-615 console login page contains information about the security mechanism used to encrypt the user name and passwords.
Description
D-Link DIR-615 Wireless N 300 router uses Java Script in its console login page to implement a series of security mechanisms to prevent sending the user name and password in clear text. It salts the user’s password with an 8 characters long salt string of “2bcfc20f”. Then the password is padded to 16 characters and appended to the salt characters and padded further to 63 characters. Finally, it appends a “U” to the user account and “\x01” to an admin login account and produces an MD5 hash of the user or admin account.
Code
<!– InstanceBeginEditable –>
<script src=”/md5.js”></script>
<script>
//<![CDATA[
function page_load()
{
/* Detect browsers that cannot handle XML methods. */
if (!document.getElementsByTagName || !((document.implementation && document.implementation.createDocument) || window.ActiveXObject)) {
alert (“Your web browser is too old to use this web site. Please upgrade your browser.”);
return;
}/* For debugging on a local client. */
if (“” != “”) {
hide_all_ssi_tr();
}
document.forms.myform.password.focus();
}function data_ready(xml)
{
var status = xml.getElementData(“login”);
if (status) {
if (status == “timeout”) {
alert(“Session timeout, please try again.”);
location.replace (‘/’);
} else if (status == “error”) {
alert(“Invalid password, please try again.”);
location.replace (‘/’);
} else {
location.replace (‘/’ + status);
}
}
}function data_timeout()
{
/* We did not get a reply from the server, the connection is likely down. */
alert (“The network connection seems to be down. Press ‘Ok’ to try again.”);
location.reload(true);
}function send_login()
{
/* Salt in hex, 8 chars long. */
var salt = “2bcfc20f”;var password = document.forms.myform.password.value.substr(0,16);
document.forms.myform.password.value = “”; // Make sure password never gets sent as clear text/* Pad the password to 16 chars. */
for (var i = password.length; i < 16; i++) {
password += String.fromCharCode(1);
}/* Append the password to the salt and pad the result to 63 bytes. */
var input = salt + password;
for (var i = input.length; i < 63; i++) {
input += String.fromCharCode(1);
}/* Append a ‘U’ for user login, or a ‘\x01’ for admin login. */
input += (document.forms[“myform”].username.value == ‘user’) ? ‘U’ : String.fromCharCode(1);/* MD5 hash of the salt. */
var hash = hex_md5(input);/* Append the MD5 hash to the salt. */
var login_hash = salt.concat(hash);/* Send the login hash to the server. */
var xmlobj = new xmlDataObject(data_ready, data_timeout, 6000, “/post_login.xml?hash=” + login_hash);
if (!xmlobj) {
/* Browser does not support XML DOM. */
alert (“Your web browser is too old to use this web site. Please upgrade your browser.”);
return;
}
xmlobj.retrieveData();
}//]]>
</script>
<!– InstanceEndEditable –>
Impact
The used security mechanisms have been implemented as Java Script and its prone to the end user access remotely. In addition, the attacker can intercept the communication of the user or admin account and use the described mechanisms to crack the password.
Solution
I am currently unaware of a solution to this problem. (Note: Device control panel does not support HTTPS)
Vendor Information
http://www.dlink.com/products/?pid=565
Product Details:
D-Link Wireless access point
Product Page DIR-615
Hardware Version :B2
Firmware Version: 2.25
CERT(R) Coordination Center Tracking Code: VU#944927 Date: 01/10/2010
