secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306

Affected Products:
Microsoft Wireless Display Adapter V2:
	- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 to 2.0.8372 have been tested and are affected by the Command Injection Vulnerability
	- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Broken Access Control Vulnerability
	- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Evil-Twin-Attack Vulnerability
	Other releases have not been tested. 

	References
	- https://www.secuvera.de/advisories/secuvera-SA-2018-03.txt
	- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8306 (Command Injection)
	- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8306 (Command Injection)
	
Summary:
	Microsoft Wireless Display Adapter (MsWDA ) is a hardware device to
	"Share what’s on your tablet, laptop, or smartphone. All 
	Miracast® enabled Windows 10 phones, tablets and laptops, 
	including the Surface line up. Stream movies, view personal 
	photos, or display a presentation on a big screen – all 
	wirelessly." [1]
	
	During our research we found a command-injection, broken 
	access control and an "evil-twin" attack.
	
Background:
	MsWDA uses Wifi-Direct for the Connection and Miracast for 
	transmitting Video- and Audiodata. The Wifi-Connection 
	between MsWDA and the Client is alwasy WPA2 encrypted. To 
	setup the connection, MsWDA provides a well-known mechanism: 
	Wi-Fi Protected Setup (WPS). MsWDA implements both push 
	button configuration (PBC) and PIN configuration. Despite the
	original design and name, MsWDA offers PBC with the button 
	virtually "pressed". A user simply connects. Regardless the 
	authentication method used (PBC or PIN), a client is assigned
	to a so called "persistent group". A client in a persistent 
	group does not have to re-authenticate on a new connection. 
	
	Effect:
	Command injection:
   	The attacker has to be connected to the MsWDA.Using the 
	Webservice the Name of the MsWDA could be set in the 
	parameter "NewDeviceName". Appending characters 
	to escape command line scripts, the device gets into a 
	boot loop. Therefore the conclusion is legit, there is 
	a command injection. After several bricked MsWDAs we gave
	up. 
	
	Broken Access Control:
	a) PBC is implemented against Wifi Alliance Best Practices [2]
	No Button has to be pressed, therefore the attacker has 
	just to be in network range to authenticate. Physical access
	to the device is not required.
	
	b) If an attacker has formed a persistent group with Push 
	Button Configuration, he can authenticate with the persistent 
	group, even if the configuration method is changed to PIN 
	Configuration.
	
	c) A persistent group does not expire, so the access right 
	longs forever. The WPA2 key of the connection does not change 
	for a persistent group.
	
	Evil-Twin-Attack:
	To perform an Evil-Twin Attack, the Attacker has to be connected
	to the MsWDA attacked. He then offers an own Display Adapter Service
	with the same name like the MsWDA attacked. The user will only find 
	the attackers name in the available connections and connect to the 
	attackers Evil Twin. A replication service will stream the users data 
	from the attackers device to the MsWDA attacked. Therefore the user 
	will not be able to recognize the attack.
	Besides the ability to view streaming data, the attacker can use 
	the established connection to access other services on the victims
	device, e. g. files if shared to trusted networks by the user.

	Vulnerable Script for the command injection:
	/cgi-bin/msupload.sh, Parameter NewDeviceName
	
Example for command injection:
	http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a=b
	#show a device name with leading adapter_name=
	http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a%0D$(ls)%0D
	#bring Display Adapter into a bootloop
	
	Solution:
	Always use PIN method for authentication. This does not require 
	the attacker to have physical access, at least he nees the screen visible.
	According to the vendor, the command injection has been fixed in 
	the firmware update July 2018.  
    	
	Disclosure Timeline:
	2018/03/21 vendor contacted
	2018/03/21 initial vendor response
	2018/04/06 vendor confirmation 
	2018/04/20 vendor informs about fixes planned
	2018/04/21 feedback to the vendor on the fixes
	2018/05/17 vendor provides timeline for the firmware fixes for July 10th
	2018/06/19 vendor provides assigend CVE number
	2018/07/10 vendor publishes Advisory and Firmware-Updates 
	2018/07/30 coordinated public disclosure
	
	
	
External References:
	 [1] https://www.microsoft.com/accessories/en-us/products/adapters/wireless-display-adapter-2/p3q-00001
	 [2] https://www.wi-fi.org/downloads-public/wsc_best_practices_v2_0_1.pdf/8188

	   
Credits:
	Tobias Glemser
	tglemser@xxxxxxxxxxx
	secuvera GmbH
	https://www.secuvera.de
	
	Simon Winter
	simon.winter95@xxxxxx
	Aalen University
	https://www.hs-aalen.de/en
	
Disclaimer:
	All information is provided without warranty. The intent is to
	provide information to secure infrastructure and/or systems, not
	to be able to attack or damage. Therefore secuvera shall
	not be liable for any direct or indirect damages that might be
	caused by using this information.




[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux