0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Microsoft Wireless Display Adapter 2 Command Injection / Broken Access Control Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306 Affected Products: Microsoft Wireless Display Adapter V2: - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 to 2.0.8372 have been tested and are affected by the Command Injection Vulnerability - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Broken Access Control Vulnerability - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Evil-Twin-Attack Vulnerability Other releases have not been tested. References - https://www.secuvera.de/advisories/secuvera-SA-2018-03.txt - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8306 (Command Injection) - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8306 (Command Injection) Summary: Microsoft Wireless Display Adapter (MsWDA ) is a hardware device to "Share whatas on your tablet, laptop, or smartphone. All MiracastA(r) enabled Windows 10 phones, tablets and laptops, including the Surface line up. Stream movies, view personal photos, or display a presentation on a big screen a all wirelessly." [1] During our research we found a command-injection, broken access control and an "evil-twin" attack. Background: MsWDA uses Wifi-Direct for the Connection and Miracast for transmitting Video- and Audiodata. The Wifi-Connection between MsWDA and the Client is alwasy WPA2 encrypted. To setup the connection, MsWDA provides a well-known mechanism: Wi-Fi Protected Setup (WPS). MsWDA implements both push button configuration (PBC) and PIN configuration. Despite the original design and name, MsWDA offers PBC with the button virtually "pressed". A user simply connects. Regardless the authentication method used (PBC or PIN), a client is assigned to a so called "persistent group". A client in a persistent group does not have to re-authenticate on a new connection. Effect: Command injection: The attacker has to be connected to the MsWDA.Using the Webservice the Name of the MsWDA could be set in the parameter "NewDeviceName". Appending characters to escape command line scripts, the device gets into a boot loop. Therefore the conclusion is legit, there is a command injection. After several bricked MsWDAs we gave up. Broken Access Control: a) PBC is implemented against Wifi Alliance Best Practices [2] No Button has to be pressed, therefore the attacker has just to be in network range to authenticate. Physical access to the device is not required. b) If an attacker has formed a persistent group with Push Button Configuration, he can authenticate with the persistent group, even if the configuration method is changed to PIN Configuration. c) A persistent group does not expire, so the access right longs forever. The WPA2 key of the connection does not change for a persistent group. Evil-Twin-Attack: To perform an Evil-Twin Attack, the Attacker has to be connected to the MsWDA attacked. He then offers an own Display Adapter Service with the same name like the MsWDA attacked. The user will only find the attackers name in the available connections and connect to the attackers Evil Twin. A replication service will stream the users data from the attackers device to the MsWDA attacked. Therefore the user will not be able to recognize the attack. Besides the ability to view streaming data, the attacker can use the established connection to access other services on the victims device, e. g. files if shared to trusted networks by the user. Vulnerable Script for the command injection: /cgi-bin/msupload.sh, Parameter NewDeviceName Example for command injection: http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a=b #show a device name with leading adapter_name= http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a%0D$(ls)%0D #bring Display Adapter into a bootloop Solution: Always use PIN method for authentication. This does not require the attacker to have physical access, at least he nees the screen visible. According to the vendor, the command injection has been fixed in the firmware update July 2018. Disclosure Timeline: 2018/03/21 vendor contacted 2018/03/21 initial vendor response 2018/04/06 vendor confirmation 2018/04/20 vendor informs about fixes planned 2018/04/21 feedback to the vendor on the fixes 2018/05/17 vendor provides timeline for the firmware fixes for July 10th 2018/06/19 vendor provides assigend CVE number 2018/07/10 vendor publishes Advisory and Firmware-Updates 2018/07/30 coordinated public disclosure External References: [1] https://www.microsoft.com/accessories/en-us/products/adapters/wireless-display-adapter-2/p3q-00001 [2] https://www.wi-fi.org/downloads-public/wsc_best_practices_v2_0_1.pdf/8188 # 0day.today [2024-12-24] #