BugTraq
secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306 Jul 30 2018 05:35AM
Tobias Glemser (tglemser secuvera de)
secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306

Affected Products:

Microsoft Wireless Display Adapter V2:

- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 to 2.0.8372 have been tested and are affected by the Command Injection Vulnerability

- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Broken Access Control Vulnerability

- Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Evil-Twin-Attack Vulnerability

Other releases have not been tested.

References

- https://www.secuvera.de/advisories/secuvera-SA-2018-03.txt

- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2
018-8306 (Command Injection)

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8306 (Command Injection)

Summary:

Microsoft Wireless Display Adapter (MsWDA ) is a hardware device to

"Share whatâ??s on your tablet, laptop, or smartphone. All

Miracast® enabled Windows 10 phones, tablets and laptops,

including the Surface line up. Stream movies, view personal

photos, or display a presentation on a big screen â?? all

wirelessly." [1]

During our research we found a command-injection, broken

access control and an "evil-twin" attack.

Background:

MsWDA uses Wifi-Direct for the Connection and Miracast for

transmitting Video- and Audiodata. The Wifi-Connection

between MsWDA and the Client is alwasy WPA2 encrypted. To

setup the connection, MsWDA provides a well-known mechanism:

Wi-Fi Protected Setup (WPS). MsWDA implements both push

button configuration (PBC) and PIN configuration. Despite the

original design and name, MsWDA offers PBC with the button

virtually "pressed". A user simply connects. Regardless the

authentication method used (PBC or PIN), a client is assigned

to a so called "persistent group". A client in a persistent

group does not have to re-authenticate on a new connection.

Effect:

Command injection:

The attacker has to be connected to the MsWDA.Using the

Webservice the Name of the MsWDA could be set in the

parameter "NewDeviceName". Appending characters

to escape command line scripts, the device gets into a

boot loop. Therefore the conclusion is legit, there is

a command injection. After several bricked MsWDAs we gave

up.

Broken Access Control:

a) PBC is implemented against Wifi Alliance Best Practices [2]

No Button has to be pressed, therefore the attacker has

just to be in network range to authenticate. Physical access

to the device is not required.

b) If an attacker has formed a persistent group with Push

Button Configuration, he can authenticate with the persistent

group, even if the configuration method is changed to PIN

Configuration.

c) A persistent group does not expire, so the access right

longs forever. The WPA2 key of the connection does not change

for a persistent group.

Evil-Twin-Attack:

To perform an Evil-Twin Attack, the Attacker has to be connected

to the MsWDA attacked. He then offers an own Display Adapter Service

with the same name like the MsWDA attacked. The user will only find

the attackers name in the available connections and connect to the

attackers Evil Twin. A replication service will stream the users data

from the attackers device to the MsWDA attacked. Therefore the user

will not be able to recognize the attack.

Besides the ability to view streaming data, the attacker can use

the established connection to access other services on the victims

device, e. g. files if shared to trusted networks by the user.

Vulnerable Script for the command injection:

/cgi-bin/msupload.sh, Parameter NewDeviceName

Example for command injection:

http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=
a=b

#show a device name with leading adapter_name=

http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=
a%0D$(ls)%0D

#bring Display Adapter into a bootloop

Solution:

Always use PIN method for authentication. This does not require

the attacker to have physical access, at least he nees the screen visible.

According to the vendor, the command injection has been fixed in

the firmware update July 2018.

Disclosure Timeline:

2018/03/21 vendor contacted

2018/03/21 initial vendor response

2018/04/06 vendor confirmation

2018/04/20 vendor informs about fixes planned

2018/04/21 feedback to the vendor on the fixes

2018/05/17 vendor provides timeline for the firmware fixes for July 10th

2018/06/19 vendor provides assigend CVE number

2018/07/10 vendor publishes Advisory and Firmware-Updates

2018/07/30 coordinated public disclosure

External References:

[1] https://www.microsoft.com/accessories/en-us/products/adapters/wireless-d
isplay-adapter-2/p3q-00001

[2] https://www.wi-fi.org/downloads-public/wsc_best_practices_v2_0_1.pdf/818
8

Credits:

Tobias Glemser

tglemser (at) secuvera (dot) de [email concealed]

secuvera GmbH

https://www.secuvera.de

Simon Winter

simon.winter95 (at) web (dot) de [email concealed]

Aalen University

https://www.hs-aalen.de/en

Disclaimer:

All information is provided without warranty. The intent is to

provide information to secure infrastructure and/or systems, not

to be able to attack or damage. Therefore secuvera shall

not be liable for any direct or indirect damages that might be

caused by using this information.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus