D-Link issued security patches to address several remote code execution and cross-site scripting (XSS) vulnerabilities affecting the Central WiFiManager access point management tool.
The vulnerabilities have been reported by researchers at SecureAuth/CoreSecurity
D-Link Central WiFiManager software controller helps network administrators streamline their wireless access point (AP) management workflow. It leverages a centralized server to remotely allow the management and the monitoring of wireless APs on a network.
The software can be deployed both locally and in the cloud.
The researchers discovered four potentially serious flaws in Central WiFiManager for Windows (version 1.03 and others) that can be exploited for arbitrary code execution.
The most severe flaw, tracked as CVE-2018-17440, is related to the presence of default credentials (admin/admin) in the FTP server running on port 9000 of the web app.
An attacker can use it to credentials to connect the server and upload a specially crafted PHP file that once requested will lead to arbitrary code execution.
“The web application starts an FTP server running on the port 9000 by default with admin/admin credentials and do not show the option to change it, so in this POC we establish a connection with the server and upload a PHP file. Since the application do not restrict unauthenticated users to request any file in the web root, we later request the uploaded file to achieve remote code execution.” reads the security advisory.
Another flaw discovered by researchers tracked as CVE-2018-17442 is an authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type.
The Central WiFiManager access point management tool allows users to upload RAR archives and an authenticated attacker could exploit this feature by uploading an archive that includes a PHP file whose content will be executed in the context of the web application.
“When the .rar is uploaded is stored in the path ‘\web\captivalportal’ in a folder with a timestamp created by the PHP time() function. In order to know what is the web server’s time we request an information file that contains the time we are looking for. After we have the server’s time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one,” continues the advisory.
The remaining issued include two stored XSS flaws in the “UpdateSite” (CVE-2018-17443) and “addUser” (CVE-2018-17441) functionality, specifically the sitename and usernameparameters, respectively.
The vulnerabilities were reported to D-Link in on June 4, and the company addressed them with the version 1.03R0100-Beta1.
(Security Affairs – D-LinK, Central WiFiManager access point)