D-Link WiFi range extender vulnerable to command injection attacks | spcilvly


The popular D-Link DAP-X1860 WiFi 6 range extender is susceptible to a vulnerability that allows DoS (denial of service) attacks and remote command injection.

The product is currently listed as available on D-Link’s site and has thousands of reviews on Amazon, making it a popular choice among consumers.

A team of German researchers (RedTeam) that discovered the vulnerability, tracked as CVE-2023-45208, reports that despite their attempts to alert D-Link several times, the vendor remained silent and no fixes have been released.

Vulnerability details

The problem lies with the D-Link DAP-X1860’s network scanning functionality, specifically, the inability to scan SSIDs that contain a single mark (‘) in the name, misinterpreting it as a command terminator.

Technically, the problem originates from the ‘parsing_xml_stasurvey’ function in the libcgifunc.so library, which contains a system command to execute.

However, given the lack of product SSID sanitization, an attacker can easily abuse this feature for malicious purposes.

An attacker within range of the extender can set up a WiFi network and deceptively name it similar to something the target is familiar with, but include a markup in the name, such as “Olaf’s Network,” for example.

When the device tries to connect to that SSID, it will produce an “Error 500: Internal Server Error”, which will not work normally.

Extender web server response
Extender web server response (Red Team)

If the attacker adds a second section to the SSID that contains a shell command separated by “&&” such as “Test’ && uname -a &&”, the extender will be tricked into running the ‘uname -a’ command during setup/scanning of the network. .

All processes on the extender, including commands injected by external threat actors, run with root privileges, potentially allowing attackers to probe other devices connected to the extender and promote their infiltration into the network.

The most difficult prerequisite for the attack is to force a network scan on the target device, but this is possible by performing a deauthentication attack.

Several readily available software tools can generate and send deauthorization packets to the extender, causing it to disconnect from its primary network and forcing the target to perform a network scan.

RedTeam researchers discovered the flaw in May 2023 and reported it to D-Link, but despite multiple follow-ups, no response was ever received.

This means that D-Link DAP-X1860 remains vulnerable to attacks and the relatively simple exploitation mechanism makes the situation risky.

DAP-X1860 extender owners are advised to limit manual network scans, treat sudden disconnections suspiciously, and turn off the extender when not actively using it.

Additionally, consider placing IoT devices and range extenders on a separate, isolated network from sensitive devices containing personal or work data.

Leave a Reply

Your email address will not be published. Required fields are marked *