Microsoft Wireless Display Adapter 2 Command Injection / Broken Access Control

                							

                secuvera-SA-2018-03: Command Injection, Broken Access Control and Evil-Twin-Attack in Microsoft Wireless Display Adapter V2 - CVE-2018-8306

Affected Products:
Microsoft Wireless Display Adapter V2:
  - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 to 2.0.8372 have been tested and are affected by the Command Injection Vulnerability
  - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Broken Access Control Vulnerability
  - Microsoft Wireless Display Adapter V2 Softwareversion 2.0.8350 has been tested and is affected by the Evil-Twin-Attack Vulnerability
  Other releases have not been tested. 

  References
  - https://www.secuvera.de/advisories/secuvera-SA-2018-03.txt
  - https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8306 (Command Injection)
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8306 (Command Injection)
  
Summary:
  Microsoft Wireless Display Adapter (MsWDA ) is a hardware device to
  "Share whatas on your tablet, laptop, or smartphone. All 
  MiracastA(r) enabled Windows 10 phones, tablets and laptops, 
  including the Surface line up. Stream movies, view personal 
  photos, or display a presentation on a big screen a all 
  wirelessly." [1]
  
  During our research we found a command-injection, broken 
  access control and an "evil-twin" attack.
  
Background:
  MsWDA uses Wifi-Direct for the Connection and Miracast for 
  transmitting Video- and Audiodata. The Wifi-Connection 
  between MsWDA and the Client is alwasy WPA2 encrypted. To 
  setup the connection, MsWDA provides a well-known mechanism: 
  Wi-Fi Protected Setup (WPS). MsWDA implements both push 
  button configuration (PBC) and PIN configuration. Despite the
  original design and name, MsWDA offers PBC with the button 
  virtually "pressed". A user simply connects. Regardless the 
  authentication method used (PBC or PIN), a client is assigned
  to a so called "persistent group". A client in a persistent 
  group does not have to re-authenticate on a new connection. 
  
  Effect:
  Command injection:
     The attacker has to be connected to the MsWDA.Using the 
  Webservice the Name of the MsWDA could be set in the 
  parameter "NewDeviceName". Appending characters 
  to escape command line scripts, the device gets into a 
  boot loop. Therefore the conclusion is legit, there is 
  a command injection. After several bricked MsWDAs we gave
  up. 
  
  Broken Access Control:
  a) PBC is implemented against Wifi Alliance Best Practices [2]
  No Button has to be pressed, therefore the attacker has 
  just to be in network range to authenticate. Physical access
  to the device is not required.
  
  b) If an attacker has formed a persistent group with Push 
  Button Configuration, he can authenticate with the persistent 
  group, even if the configuration method is changed to PIN 
  Configuration.
  
  c) A persistent group does not expire, so the access right 
  longs forever. The WPA2 key of the connection does not change 
  for a persistent group.
  
  Evil-Twin-Attack:
  To perform an Evil-Twin Attack, the Attacker has to be connected
  to the MsWDA attacked. He then offers an own Display Adapter Service
  with the same name like the MsWDA attacked. The user will only find 
  the attackers name in the available connections and connect to the 
  attackers Evil Twin. A replication service will stream the users data 
  from the attackers device to the MsWDA attacked. Therefore the user 
  will not be able to recognize the attack.
  Besides the ability to view streaming data, the attacker can use 
  the established connection to access other services on the victims
  device, e. g. files if shared to trusted networks by the user.

  Vulnerable Script for the command injection:
  /cgi-bin/msupload.sh, Parameter NewDeviceName
  
Example for command injection:
  http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a=b
  #show a device name with leading adapter_name=
  http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a%0D$(ls)%0D
  #bring Display Adapter into a bootloop
  
  Solution:
  Always use PIN method for authentication. This does not require 
  the attacker to have physical access, at least he nees the screen visible.
  According to the vendor, the command injection has been fixed in 
  the firmware update July 2018.  
      
  Disclosure Timeline:
  2018/03/21 vendor contacted
  2018/03/21 initial vendor response
  2018/04/06 vendor confirmation 
  2018/04/20 vendor informs about fixes planned
  2018/04/21 feedback to the vendor on the fixes
  2018/05/17 vendor provides timeline for the firmware fixes for July 10th
  2018/06/19 vendor provides assigend CVE number
  2018/07/10 vendor publishes Advisory and Firmware-Updates 
  2018/07/30 coordinated public disclosure
  
  
  
External References:
   [1] https://www.microsoft.com/accessories/en-us/products/adapters/wireless-display-adapter-2/p3q-00001
   [2] https://www.wi-fi.org/downloads-public/wsc_best_practices_v2_0_1.pdf/8188

     
Credits:
  Tobias Glemser
  tglemser@secuvera.de
  secuvera GmbH
  https://www.secuvera.de
  
  Simon Winter
  simon.winter95@web.de
  Aalen University
  https://www.hs-aalen.de/en
  
Disclaimer:
  All information is provided without warranty. The intent is to
  provide information to secure infrastructure and/or systems, not
  to be able to attack or damage. Therefore secuvera shall
  not be liable for any direct or indirect damages that might be
  caused by using this information.
<p>