CVE-2019-13372 Scanner

D-Link Central WiFi Manager CWM(100) is used by organizations to manage and monitor multiple wireless access points from a centralized location. It is particularly beneficial for large environments that require comprehensive wireless network solutions, such as campuses, enterprises, and service providers. The software is designed to enhance productivity and efficiency by simplifying network management and configuration. Users can remotely manage WiFi access points, configure security settings, and monitor network performance. D-Link provides this tool to offer seamless integration with various D-Link wireless access points, ensuring robust network operations. The software also aims to provide an intuitive interface and advanced security features to safeguard network integrity.

The Remote Code Execution vulnerability in D-Link Central WiFi Manager CWM(100) allows attackers to execute arbitrary PHP code. This vulnerability arises due to improper handling of cookie data, specifically in the username field, which can be manipulated for eval injection. Exploitation of this vulnerability is possible by supplying a specially crafted cookie, where authentication can be bypassed with an empty password. This leads to unauthorized execution of injected commands on the server. The nature of the vulnerability makes it critical as it allows code execution with potential administrative privileges, compromising server security. Security patches are crucial to addressing this issue to prevent exploitation.

Technically, the vulnerability resides in the /web/Lib/Action/IndexAction.class.php file, where the username field in a cookie is not properly sanitized. Attackers exploit this by injecting PHP code using cookies, which are processed by the server without adequate validation. The vulnerable endpoint is accessed via a GET request to /index.php/Index/index with a crafted cookie. Successful exploitation is confirmed by execution traces that indicate the presence of the injected code result. This violation of security best practices results from the misconfiguration of cookie handling logic. Addressing this vulnerability involves ensuring stringent input validation in server-side scripts.

If exploited, this vulnerability can lead to severe consequences including complete server compromise. Attackers may gain unauthorized access to sensitive data, tamper with configurations, or escalate privileges. Systems can be used as launching pads for further attacks within the network, leading to espionage or sabotage. Business operations could be disrupted, causing operational downtime and financial losses. Additionally, exploited systems could violate data protection regulations, leading to legal ramifications. Protecting against these effects requires immediate security updates and adherence to secure software development practices.

REFERENCES

• https://github.com/unh3x/unh3x.github.io/blob/master/_posts/2019-02-21-D-link-%28CWM-100%29-Multiple-Vulnerabilities.md
• https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10117
• https://unh3x.github.io/2019/02/21/D-link-%28CWM-100%29-Multiple-Vulnerabilities/
• https://nvd.nist.gov/vuln/detail/CVE-2019-13372