D-Link Patches RCE Bugs in Wireless Access Point Gear

Four vulnerabilities were disclosed in D-Link’s software controller tool used in its enterprise-class wireless network access points. The disclosure, made on Thursday, also included two vulnerabilities that enabled attackers to remotely execute code with system permissions.

The flaws were discovered by a researcher with SecureAuth + Core Security. The bugs are tied to firmware controlling D-Link’s wireless access point gear called Central WiFiManager Software Controller, a tool used to help network administrators manage and monitor their wireless access point workflow via a centralized server.

Impacted are the software, the host system it runs one and D-Link devices managed, said D-Link said in a disclosure notice published to its site: “This disclosure directly affects the software package and current installations should be update with the new released available to download below. Failure to update may put this software package, the host computer it runs on, and D-Link devices that it manages at risk.”

Vulnerabilities allowed unauthenticated and authenticated file uploads into affected access points that could lead to remote code execution with system permissions, researchers said in a posting. Attackers can execute commands in the operating system of the server where the application is installed (any kind of system commands).

The first two remote code execution flaws both “allow an attacker to run code as nt authority\system (so the attacker could get privileged access to execute any command),” a SecureAuth+Core Security spokesperson told Threatpost. NT Authority/System represents every domain user account that is able to successfully log on to the domain.

The first flaw (CVE-2018-17440) stems from the issue that D-Link Central WiFiManager Software Controller exposes a File Transfer Protocol (FTP) server.

This flaw is “very easy to exploit,” according to the SecureAuth + Core Security spokesperson. The main issue is that the application runs an FTP server by default with hardcoded credentials (admin/admin).

In order to exploit this vulnerability, an attacker would upload a PHP file with malicious code and then request this file via a simple GET request (the application do not restrict unauthenticated users to request any file in the web root). They then will be able to execute arbitrary code and ultimately launch commands on the target system.

“Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution,” according to the release.

A second remote flaw (CVE-2018-17442) is more complex, researchers said.

“The exploitation follows the same pattern, the attacker has to upload a file with malicious code and then request it,” the spokesperson told Threatpost. “In this case the exploitation abuses a functionality given by the endpoint, that takes a .rar file, decompress it and store it in a folder named after the PHP time() function.”

So, the attacker’s goal is to get the server’s time, upload a PHP file inside a .RAR archive and calculate the appropriate file name to request it and execute its code. Importantly, the attacker would need to be authenticated to abuse the functionality.

“Our goal is first obtain the server’s time, upload a .RAR with our PHP file, calculate the proper epoch and iterate increasing it until we hit the proper one and remote code execution is achieved,” said researchers.

The last two flaws are cross-site scripting bugs– one (CVE-2018-17443) exists in the application site name parameter of the UpdateSite endpoint for the controller; while the other (CVE-2018-17441) exists in the tool that adds a new user, the  ‘username’ parameter of the addUser endpoint.

Central WifiManager v1.03r0098 is impacted. Researchers said that other products and versions may be affected- but they were not tested.

After discovering the flaws, Julian Muñoz from Core Security Consulting Services first notified D-Link in June. D-Link has released the beta version of the controller, Central WifiManager v 1.03r0100, which addresses the reported vulnerabilities.