secuvera-SA-2018-03: Command Injection, Broken Access Control and- Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306

From: Tobias Glemser <tglemser@secuvera.de>
To: bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Cc:
Subject: secuvera-SA-2018-03: Command Injection, Broken Access Control and- Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306
Date:


secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306

Affected Products:
Microsoft Wireless Display Adapter V2:
 - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 to 2.0.8372 have been tested and are affected by the Command Injection Vulnerability
      - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Broken Access Control Vulnerability
        - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Evil-Twin-Attack Vulnerability
     Other releases have not been tested. 

 References
 - https://www.secuvera.de/advisories/secuvera-SA-2018-03.txt
       - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8306 (Command Injection)
     - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8306 (Command Injection)
 
Summary:
      Microsoft Wireless Display Adapter (MsWDA ) is a hardware device to
        "Share what\u2019s on your tablet, laptop, or smartphone. All 
        Miracast enabled Windows 10 phones, tablets and laptops, 
  including the Surface line up. Stream movies, view personal 
       photos, or display a presentation on a big screen \u2013 all 
      wirelessly." [1]
      
   During our research we found a command-injection, broken 
  access control and an "evil-twin" attack.
        
Background:
   MsWDA uses Wifi-Direct for the Connection and Miracast for 
        transmitting Video- and Audiodata. The Wifi-Connection 
    between MsWDA and the Client is alwasy WPA2 encrypted. To 
 setup the connection, MsWDA provides a well-known mechanism: 
      Wi-Fi Protected Setup (WPS). MsWDA implements both push 
   button configuration (PBC) and PIN configuration. Despite the
      original design and name, MsWDA offers PBC with the button 
        virtually "pressed". A user simply connects. Regardless the 
     authentication method used (PBC or PIN), a client is assigned
      to a so called "persistent group". A client in a persistent 
     group does not have to re-authenticate on a new connection. 
       
   Effect:
    Command injection:
         The attacker has to be connected to the MsWDA.Using the 
   Webservice the Name of the MsWDA could be set in the 
      parameter "NewDeviceName". Appending characters 
 to escape command line scripts, the device gets into a 
    boot loop. Therefore the conclusion is legit, there is 
    a command injection. After several bricked MsWDAs we gave
  up. 
       
   Broken Access Control:
     a) PBC is implemented against Wifi Alliance Best Practices [2]
     No Button has to be pressed, therefore the attacker has 
   just to be in network range to authenticate. Physical access
       to the device is not required.
     
   b) If an attacker has formed a persistent group with Push 
 Button Configuration, he can authenticate with the persistent 
     group, even if the configuration method is changed to PIN 
 Configuration.
     
   c) A persistent group does not expire, so the access right 
        longs forever. The WPA2 key of the connection does not change 
     for a persistent group.
    
   Evil-Twin-Attack:
  To perform an Evil-Twin Attack, the Attacker has to be connected
   to the MsWDA attacked. He then offers an own Display Adapter Service
       with the same name like the MsWDA attacked. The user will only find 
       the attackers name in the available connections and connect to the 
        attackers Evil Twin. A replication service will stream the users data 
     from the attackers device to the MsWDA attacked. Therefore the user 
       will not be able to recognize the attack.
  Besides the ability to view streaming data, the attacker can use 
  the established connection to access other services on the victims
 device, e. g. files if shared to trusted networks by the user.

        Vulnerable Script for the command injection:
       /cgi-bin/msupload.sh, Parameter NewDeviceName
      
Example for command injection:
        http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a=b
   #show a device name with leading adapter_name=
     http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a%0D$(ls)%0D
  #bring Display Adapter into a bootloop
     
   Solution:
  Always use PIN method for authentication. This does not require 
   the attacker to have physical access, at least he nees the screen visible.
 According to the vendor, the command injection has been fixed in 
  the firmware update July 2018.  
           
   Disclosure Timeline:
       2018/03/21 vendor contacted
        2018/03/21 initial vendor response
 2018/04/06 vendor confirmation 
    2018/04/20 vendor informs about fixes planned
      2018/04/21 feedback to the vendor on the fixes
     2018/05/17 vendor provides timeline for the firmware fixes for July 10th
   2018/06/19 vendor provides assigend CVE number
     2018/07/10 vendor publishes Advisory and Firmware-Updates 
 2018/07/30 coordinated public disclosure
   
   
   
External References:
   [1] https://www.microsoft.com/accessories/en-us/products/adapters/wireless-display-adapter-2/p3q-00001
     [2] https://www.wi-fi.org/downloads-public/wsc_best_practices_v2_0_1.pdf/8188

           
Credits:
   Tobias Glemser
     tglemser@secuvera.de
       secuvera GmbH
      https://www.secuvera.de
    
   Simon Winter
       simon.winter95@web.de
      Aalen University
   https://www.hs-aalen.de/en
 
Disclaimer:
   All information is provided without warranty. The intent is to
     provide information to secure infrastructure and/or systems, not
   to be able to attack or damage. Therefore secuvera shall
   not be liable for any direct or indirect damages that might be
     caused by using this information.





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.