Sign-up

ID

VAR-201807-1609


CVE

CVE-2018-8306


TITLE

Microsoft Wireless Display Adapter Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-007128

DESCRIPTION

A command injection vulnerability exists in the Microsoft Wireless Display Adapter (MWDA) when the Microsoft Wireless Display Adapter does not properly manage user input, aka "Microsoft Wireless Display Adapter Command Injection Vulnerability." This affects Microsoft Wireless Display Adapter V2 Software. An attacker may exploit this issue to inject and execute arbitrary commands within the context of the affected application; this may aid in further attacks. All MiracastA(r) enabled Windows 10 phones, tablets and laptops, including the Surface line up. Stream movies, view personal photos, or display a presentation on a big screen a all wirelessly." [1] During our research we found a command-injection, broken access control and an "evil-twin" attack. Background: MsWDA uses Wifi-Direct for the Connection and Miracast for transmitting Video- and Audiodata. The Wifi-Connection between MsWDA and the Client is alwasy WPA2 encrypted. To setup the connection, MsWDA provides a well-known mechanism: Wi-Fi Protected Setup (WPS). MsWDA implements both push button configuration (PBC) and PIN configuration. Despite the original design and name, MsWDA offers PBC with the button virtually "pressed". A user simply connects. Regardless the authentication method used (PBC or PIN), a client is assigned to a so called "persistent group". A client in a persistent group does not have to re-authenticate on a new connection. Effect: Command injection: The attacker has to be connected to the MsWDA.Using the Webservice the Name of the MsWDA could be set in the parameter "NewDeviceName". Appending characters to escape command line scripts, the device gets into a boot loop. Therefore the conclusion is legit, there is a command injection. After several bricked MsWDAs we gave up. Broken Access Control: a) PBC is implemented against Wifi Alliance Best Practices [2] No Button has to be pressed, therefore the attacker has just to be in network range to authenticate. Physical access to the device is not required. b) If an attacker has formed a persistent group with Push Button Configuration, he can authenticate with the persistent group, even if the configuration method is changed to PIN Configuration. c) A persistent group does not expire, so the access right longs forever. The WPA2 key of the connection does not change for a persistent group. Evil-Twin-Attack: To perform an Evil-Twin Attack, the Attacker has to be connected to the MsWDA attacked. The user will only find the attackers name in the available connections and connect to the attackers Evil Twin. A replication service will stream the users data from the attackers device to the MsWDA attacked. Therefore the user will not be able to recognize the attack. Besides the ability to view streaming data, the attacker can use the established connection to access other services on the victims device, e. g. files if shared to trusted networks by the user. This does not require the attacker to have physical access, at least he nees the screen visible. Disclosure Timeline: 2018/03/21 vendor contacted 2018/03/21 initial vendor response 2018/04/06 vendor confirmation 2018/04/20 vendor informs about fixes planned 2018/04/21 feedback to the vendor on the fixes 2018/05/17 vendor provides timeline for the firmware fixes for July 10th 2018/06/19 vendor provides assigend CVE number 2018/07/10 vendor publishes Advisory and Firmware-Updates 2018/07/30 coordinated public disclosure External References: [1] https://www.microsoft.com/accessories/en-us/products/adapters/wireless-display-adapter-2/p3q-00001 [2] https://www.wi-fi.org/downloads-public/wsc_best_practices_v2_0_1.pdf/8188 Credits: Tobias Glemser tglemser@secuvera.de secuvera GmbH https://www.secuvera.de Simon Winter simon.winter95@web.de Aalen University https://www.hs-aalen.de/en Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information

Trust: 2.16

sources: NVD: CVE-2018-8306 // JVNDB: JVNDB-2018-007128 // BID: 104621 // VULHUB: VHN-138338 // VULMON: CVE-2018-8306 // PACKETSTORM: 148744

AFFECTED PRODUCTS

vendor:microsoftmodel:wireless display adapterscope:eqversion:2.0.8372

Trust: 1.9

vendor:microsoftmodel:wireless display adapterscope:eqversion:2.0.8365

Trust: 1.9

vendor:microsoftmodel:wireless display adapterscope:eqversion:2.0.8350

Trust: 1.9

vendor:microsoftmodel:wireless display adapterscope:eqversion:v2 software version 2.0.8350

Trust: 0.8

vendor:microsoftmodel:wireless display adapterscope:eqversion:v2 software version 2.0.8365

Trust: 0.8

vendor:microsoftmodel:wireless display adapterscope:eqversion:v2 software version 2.0.8372

Trust: 0.8

sources: BID: 104621 // JVNDB: JVNDB-2018-007128 // CNNVD: CNNVD-201807-846 // NVD: CVE-2018-8306

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8306
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-8306
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201807-846
value: MEDIUM

Trust: 0.6

VULHUB: VHN-138338
value: MEDIUM

Trust: 0.1

VULMON: CVE-2018-8306
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8306
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-138338
severity: MEDIUM
baseScore: 5.2
vectorString: AV:A/AC:L/AU:S/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 5.1
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-8306
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: LOW
integrityImpact: LOW
availabilityImpact: LOW
exploitabilityScore: 2.1
impactScore: 3.4
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-138338 // VULMON: CVE-2018-8306 // JVNDB: JVNDB-2018-007128 // CNNVD: CNNVD-201807-846 // NVD: CVE-2018-8306

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.9

sources: VULHUB: VHN-138338 // JVNDB: JVNDB-2018-007128 // NVD: CVE-2018-8306

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201807-846

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-201807-846

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-007128

PATCH
title:CVE-2018-8306 | Microsoft Wireless Display Adapter Command Injection Vulnerabilityurl:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8306
Trust: 0.8
title:CVE-2018-8306 | Microsoft Wireless Display Adapter のコマンド挿入の脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-8306
Trust: 0.8
title:Microsoft Wireless Display Adapter V2 Software Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81910
Trust: 0.6
title:The Registerurl:https://www.theregister.co.uk/2018/07/11/july_patch_tuesday/
Trust: 0.2
sources:
            
            
            VULMON: CVE-2018-8306 // 
            
            
            
            JVNDB: JVNDB-2018-007128 // 
            
            
            
            CNNVD: CNNVD-201807-846

EXTERNAL IDS
db:NVDid:CVE-2018-8306
Trust: 3.0
db:BIDid:104621
Trust: 2.1
db:SECTRACKid:1041269
Trust: 1.8
db:JVNDBid:JVNDB-2018-007128
Trust: 0.8
db:CNNVDid:CNNVD-201807-846
Trust: 0.7
db:PACKETSTORMid:148744
Trust: 0.3
db:VULHUBid:VHN-138338
Trust: 0.1
db:VULMONid:CVE-2018-8306
Trust: 0.1
sources:
            
            
            VULHUB: VHN-138338 // 
            
            
            
            VULMON: CVE-2018-8306 // 
            
            
            
            BID: 104621 // 
            
            
            
            JVNDB: JVNDB-2018-007128 // 
            
            
            
            PACKETSTORM: 148744 // 
            
            
            
            CNNVD: CNNVD-201807-846 // 
            
            
            
            NVD: CVE-2018-8306

REFERENCES
url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-8306
Trust: 2.2
url:http://www.securityfocus.com/bid/104621
Trust: 1.9
url:http://www.securitytracker.com/id/1041269
Trust: 1.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8306
Trust: 0.9
url:https://nvd.nist.gov/vuln/detail/cve-2018-8306
Trust: 0.9
url:https://www.ipa.go.jp/security/ciadr/vul/20180711-ms.html
Trust: 0.8
url:http://www.jpcert.or.jp/at/2018/at180028.html
Trust: 0.8
url:http://www.microsoft.com
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/77.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://packetstormsecurity.com/files/148744/microsoft-wireless-display-adapter-2-command-injection-broken-access-control.html
Trust: 0.1
url:https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/104621
Trust: 0.1
url:http://ipaddress/cgi-bin/msupload.sh?action=setdevicename&newdevicename=a%0d$(ls)%0d
Trust: 0.1
url:https://www.secuvera.de
Trust: 0.1
url:https://www.microsoft.com/accessories/en-us/products/adapters/wireless-display-adapter-2/p3q-00001
Trust: 0.1
url:https://www.secuvera.de/advisories/secuvera-sa-2018-03.txt
Trust: 0.1
url:https://www.wi-fi.org/downloads-public/wsc_best_practices_v2_0_1.pdf/8188
Trust: 0.1
url:http://ipaddress/cgi-bin/msupload.sh?action=setdevicename&newdevicename=a=b
Trust: 0.1
url:https://www.hs-aalen.de/en
Trust: 0.1
sources:
            
            
            VULHUB: VHN-138338 // 
            
            
            
            VULMON: CVE-2018-8306 // 
            
            
            
            BID: 104621 // 
            
            
            
            JVNDB: JVNDB-2018-007128 // 
            
            
            
            PACKETSTORM: 148744 // 
            
            
            
            CNNVD: CNNVD-201807-846 // 
            
            
            
            NVD: CVE-2018-8306

CREDITS
Tobias Glemser of secuvera GmbH, Simon Winter of Aalen University.
Trust: 0.3
sources:
            
            
            BID: 104621

SOURCES
db:VULHUBid:VHN-138338
db:VULMONid:CVE-2018-8306
db:BIDid:104621
db:JVNDBid:JVNDB-2018-007128
db:PACKETSTORMid:148744
db:CNNVDid:CNNVD-201807-846
db:NVDid:CVE-2018-8306

LAST UPDATE DATE
2024-11-23T23:04:59.986000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-138338date:2019-10-03T00:00:00
db:VULMONid:CVE-2018-8306date:2019-10-03T00:00:00
db:BIDid:104621date:2018-07-10T00:00:00
db:JVNDBid:JVNDB-2018-007128date:2018-09-10T00:00:00
db:CNNVDid:CNNVD-201807-846date:2019-10-23T00:00:00
db:NVDid:CVE-2018-8306date:2024-11-21T04:13:35.353

SOURCES RELEASE DATE
db:VULHUBid:VHN-138338date:2018-07-11T00:00:00
db:VULMONid:CVE-2018-8306date:2018-07-11T00:00:00
db:BIDid:104621date:2018-07-10T00:00:00
db:JVNDBid:JVNDB-2018-007128date:2018-09-10T00:00:00
db:PACKETSTORMid:148744date:2018-07-30T17:31:52
db:CNNVDid:CNNVD-201807-846date:2018-07-11T00:00:00
db:NVDid:CVE-2018-8306date:2018-07-11T00:29:01.913