D-Link Patches Code Execution, XSS Flaws in Management Tool
7.10.2018 securityweek
Vulnerebility

D-Link has released patches for several remote code execution and cross-site scripting (XSS) vulnerabilities found by researchers in the company's Central WiFiManager access point management tool.

Central WiFiManager allows organizations to create and manage multi-site and multi-tenancy wireless networks. The software can be deployed both locally and in the cloud.

Researchers at SecureAuth + CoreSecurity discovered that version 1.03 and possibly others of Central WiFiManager for Windows is affected by four potentially serious vulnerabilities that can be exploited for arbitrary code execution.

The most severe of the security holes, CVE-2018-17440, is related to the fact that the web app includes an FTP server running on port 9000 with the default credentials admin/admin. An attacker can use it to establish a connection to the server and upload a specially crafted PHP file. Requesting this file can lead to arbitrary code execution.

Another code execution vulnerability discovered by researchers is CVE-2018-17442, which also involves uploading arbitrary files. The tool allows users to upload RAR archives and experts noticed that they can abuse the functionality to upload archives that include a PHP file whose content will be executed in the context of the web application. However, SecureAuth + CoreSecurity noted in its advisory that authentication is required for exploitation.

"When the .rar is uploaded is stored in the path '\web\captivalportal' in a folder with a timestamp created by the PHP time() function. In order to know what is the web server's time we request an information file that contains the time we are looking for. After we have the server's time we upload the .rar, calculate the proper epoch and request the appropriate path increasing this epoch by one until we hit the correct one," the security firm said in its advisory.

Experts also discovered two stored XSS flaws in the "UpdateSite" (CVE-2018-17443) and "addUser" (CVE-2018-17441) functionality, specifically the sitename and username parameters, respectively.

The vulnerabilities were reported to D-Link in early June and they were patched recently with the release of version 1.03R0100-Beta1.

"This disclosure directly affects the software package and current installations should be update with the new released available to download below. Failure to update may put this software package, the host computer it runs on, and D-Link devices that it manages at risk," D-Link said in its own advisory.