The recent distribution of the D-Link Firmware to thwart malicious attacks has additional issues . Read more at:
ZDNet May12th Report on D-Link add CAPTCHA to home routers and
Hack-A-Day D-Link-adds-Captcha-to-Routers
According to SourceSec Security Research , the attack works like this:
1. Malware loads the router's index page and glean the salt generated by the router.
2. The malware uses the salt to generate a login hash for the D-Link User account (blank password by default).
3. The malware sends the hash to the post_login.xml page.
4. The malware sends a request to the wifisc_add_sta.xml page, activating WPS.
5. The attacker uses WPSpy to detect when the victim's router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card.
Additionally, this vulnerability could be triggered by a simple JavaScript snippet using anti-DNS pinning, which removes the requirement for the attacker to have installed malware onto a machine inside the target network; the victim could be exploited by simply browsing to an infected Web page.
See these additional articles:
How DNS Pinning Works and why my router was not effective
DNS Pinning Death by 1000 Cutts
07 BlackHat Presentation on DNS Pinning
Leave a comment