D-Link Forums

The Graveyard - Products No Longer Supported => Routers / COVR => DIR-655 => Topic started by: pingjockey on May 15, 2009, 01:21:16 PM

Title: Article over at The Register
Post by: pingjockey on May 15, 2009, 01:21:16 PM

Have as one else read this yet?

http://www.theregister.co.uk/2009/05/15/dlink_router_gimmick/

I am not a overly happy camper about this. I like having a somewhat secure network

Title: Re: Article over at The Register
Post by: EddieZ on May 15, 2009, 02:47:19 PM

Wow...I think the Dlink-developer that got the bonus for cooking up this gadget so fast will have to restitute that Las Vegas Weekend after all.....  ;D

Seriously, this is quite a gap we have here...

Title: Re: Article over at The Register
Post by: kegobeer on May 15, 2009, 03:03:34 PM

Hmmm, with this new "discovery" and the issues with Shareport, I think I'll just stick with 1.21.

Title: Re: Article over at The Register
Post by: Lycan on May 15, 2009, 03:13:01 PM

Guys before we fly off the handle, I've forwarded this post to our PM group, give them a chance to rebutt.

Title: Re: Article over at The Register
Post by: EddieZ on May 15, 2009, 03:39:19 PM

Quote from: Lycan on May 15, 2009, 03:13:01 PM

Guys before we fly off the handle, I've forwarded this post to our PM group, give them a chance to rebutt.

Since there is no way to evaluatie the POC a reaction from Dlink would be nice from the authors.

Title: Re: Article over at The Register
Post by: lotacus on May 15, 2009, 07:43:42 PM

I would like to see a proof of concept. I do know that the salt hash is easily attainable in a txt file on the router.. however I forget the local url that retrieves it. I didnt bother trying to exploit it though.

Title: Re: Article over at The Register
Post by: MJBURNS on May 18, 2009, 06:24:52 AM

Quote from: lotacus on May 15, 2009, 07:43:42 PM

I would like to see a proof of concept. I do know that the salt hash is easily attainable in a txt file on the router.. however I forget the local url that retrieves it. I didnt bother trying to exploit it though.

The exploit is demonstrated here:
http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/#more-159 (http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/#more-159)

As has been noted in a lot of security forums, the CAPTCHA "feature" even if properly implemented is of dubious value in that it is never turned on by the people who never configure their routers away from the factory default passwords, and does nothing for those who do configure their routers with robust passwords (pass phrases).

Title: Re: Article over at The Register
Post by: Lycan on May 18, 2009, 08:21:59 AM

Aggreed. Personally I would prefer a lockout after failed attempts method.

Title: Re: Article over at The Register
Post by: aljimenez on May 20, 2009, 09:57:34 PM

Is there a workaround to avoid this security risk? Is turning off CAPTCHA enough to remove the risk?  Al