Twenty Year Anniversary

Microsoft Wireless Display Adapter 2 Command Injection / Broken Access Control

Microsoft Wireless Display Adapter 2 Command Injection / Broken Access Control
Posted Jul 30, 2018
Authored by Tobias Glemser, Simon Winter | Site secuvera.de

Microsoft Wireless Display Adapter versions 2.0.8350 to 2.0.8372 suffer from command injection, broken access control, and evil twin attack vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2018-8306
MD5 | 79b0670ec3acfc2b6e1824b11bd94e05

Microsoft Wireless Display Adapter 2 Command Injection / Broken Access Control

Change Mirror Download
secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306

Affected Products:
Microsoft Wireless Display Adapter V2:
- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 to 2.0.8372 have been tested and are affected by the Command Injection Vulnerability
- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Broken Access Control Vulnerability
- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Evil-Twin-Attack Vulnerability
Other releases have not been tested.

References
- https://www.secuvera.de/advisories/secuvera-SA-2018-03.txt
- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8306 (Command Injection)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8306 (Command Injection)

Summary:
Microsoft Wireless Display Adapter (MsWDA ) is a hardware device to
"Share whatas on your tablet, laptop, or smartphone. All
MiracastA(r) enabled Windows 10 phones, tablets and laptops,
including the Surface line up. Stream movies, view personal
photos, or display a presentation on a big screen a all
wirelessly." [1]

During our research we found a command-injection, broken
access control and an "evil-twin" attack.

Background:
MsWDA uses Wifi-Direct for the Connection and Miracast for
transmitting Video- and Audiodata. The Wifi-Connection
between MsWDA and the Client is alwasy WPA2 encrypted. To
setup the connection, MsWDA provides a well-known mechanism:
Wi-Fi Protected Setup (WPS). MsWDA implements both push
button configuration (PBC) and PIN configuration. Despite the
original design and name, MsWDA offers PBC with the button
virtually "pressed". A user simply connects. Regardless the
authentication method used (PBC or PIN), a client is assigned
to a so called "persistent group". A client in a persistent
group does not have to re-authenticate on a new connection.

Effect:
Command injection:
The attacker has to be connected to the MsWDA.Using the
Webservice the Name of the MsWDA could be set in the
parameter "NewDeviceName". Appending characters
to escape command line scripts, the device gets into a
boot loop. Therefore the conclusion is legit, there is
a command injection. After several bricked MsWDAs we gave
up.

Broken Access Control:
a) PBC is implemented against Wifi Alliance Best Practices [2]
No Button has to be pressed, therefore the attacker has
just to be in network range to authenticate. Physical access
to the device is not required.

b) If an attacker has formed a persistent group with Push
Button Configuration, he can authenticate with the persistent
group, even if the configuration method is changed to PIN
Configuration.

c) A persistent group does not expire, so the access right
longs forever. The WPA2 key of the connection does not change
for a persistent group.

Evil-Twin-Attack:
To perform an Evil-Twin Attack, the Attacker has to be connected
to the MsWDA attacked. He then offers an own Display Adapter Service
with the same name like the MsWDA attacked. The user will only find
the attackers name in the available connections and connect to the
attackers Evil Twin. A replication service will stream the users data
from the attackers device to the MsWDA attacked. Therefore the user
will not be able to recognize the attack.
Besides the ability to view streaming data, the attacker can use
the established connection to access other services on the victims
device, e. g. files if shared to trusted networks by the user.

Vulnerable Script for the command injection:
/cgi-bin/msupload.sh, Parameter NewDeviceName

Example for command injection:
http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a=b
#show a device name with leading adapter_name=
http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a%0D$(ls)%0D
#bring Display Adapter into a bootloop

Solution:
Always use PIN method for authentication. This does not require
the attacker to have physical access, at least he nees the screen visible.
According to the vendor, the command injection has been fixed in
the firmware update July 2018.

Disclosure Timeline:
2018/03/21 vendor contacted
2018/03/21 initial vendor response
2018/04/06 vendor confirmation
2018/04/20 vendor informs about fixes planned
2018/04/21 feedback to the vendor on the fixes
2018/05/17 vendor provides timeline for the firmware fixes for July 10th
2018/06/19 vendor provides assigend CVE number
2018/07/10 vendor publishes Advisory and Firmware-Updates
2018/07/30 coordinated public disclosure



External References:
[1] https://www.microsoft.com/accessories/en-us/products/adapters/wireless-display-adapter-2/p3q-00001
[2] https://www.wi-fi.org/downloads-public/wsc_best_practices_v2_0_1.pdf/8188


Credits:
Tobias Glemser
tglemser@secuvera.de
secuvera GmbH
https://www.secuvera.de

Simon Winter
simon.winter95@web.de
Aalen University
https://www.hs-aalen.de/en

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close