{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/813349#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nThe software driver for D-Link DWA-117 AC600 MU-MIMO Wi-Fi USB Adapter contains a unquoted service path privilege escalation vulnerability. In certain conditions, this flaw can lead to a local privilege escalation.\r\n\r\n### Description\r\nD-Link DWA-117 AC600 MU-MIMO is a Wi-Fi USB Adapter that enables Wi-Fi network accessible over USB. D-Link provides a software driver for Microsoft Windows operating system that enables proper operation of the device with the operating system. The latest software driver (as of Arpil 19, 2023) was found susceptible  to  an unquoted service path vulnerability. Given certain conditions are met, there is potential for a local privilege escalation allowing an attacker to escalate privileges to local administrative user.\r\n\r\nThe following conditions are required to trigger this bug\r\n* The software is installed in a directory with a space in it. (The default settings for directory will work)\r\n* An unprivileged user should have write access to the directory above the folder that contains the space in its name. (Typical default Windows user permissions is sufficient)\r\n\r\n\r\n\r\n### Impact\r\nAn attacker with low level access can execute code as the system account. The increased privileges allow for access to sensitive files and malicious modifications to the system.\r\n\r\n### Solution\r\nD-Link has provided a patch that addresses the issue. Customers should update their driver to the latest version.\r\n\r\n### Acknowledgements\r\nThanks to @L1v1ng0ffTh3L4n for reporting the vulnerability.\r\n\r\nThis document was written by Kevin Stephens.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"Fix and report publically available here: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10342","title":"Vendor statment from D-Link Systems Inc."}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/813349"}],"title":"Software driver for D-Link Wi-Fi USB Adapter vulnerable to service path privilege escalation","tracking":{"current_release_date":"2023-08-03T16:30:23+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#813349","initial_release_date":"2023-07-27 15:17:19.287906+00:00","revision_history":[{"date":"2023-08-03T16:30:23+00:00","number":"1.20230803163023.2","summary":"Released on 2023-08-03T16:30:23+00:00"}],"status":"final","version":"1.20230803163023.2"}},"vulnerabilities":[{"title":"he vulnerability of the software driver is for the Dlink DWA-117 AC600 MU-MIMO Wi-Fi USB Adaptor.","notes":[{"category":"summary","text":"he vulnerability of the software driver is for the Dlink DWA-117 AC600 MU-MIMO Wi-Fi USB Adaptor.\r\nAnd it turns out there are two applications/drivers that are affected.\r\nAccording to Windows this is the newest driver available:\r\n[Provided image from Device Manager showing the driver version and date]\r\n\r\nThe vulnerability is classified as an \"unquoted service path\" vulnerability, and leads to a local privilege escalation if the following conditions are met:\r\nThe software is installed in a directory with a space in it.\r\nThe default directory name suggested by the installer was \"DWA-171 revC\" so I used that for this demonstration, but it could also have been another closer to the root of the drive.\r\nE.g. D:\\Program Files\\Dlink\r\nIf an unprivileged user has write access to the directory above the folder that contains the space in its name, the unprivileged user can put a file named the first part of the folder name (before the space).\r\nE.g. If the software is installed in the directory named D:\\Program\\DWA-171 revC\\ then the user needs to have write access to the directory D:\\Program\r\nOr if the software is installed in the directory named D:\\Program Files\\Dlink then the user needs to have write access to the root directory.\r\nNot known to many, the default settings in Windows, for new directories created after Windows is done installing, on the root of a drive, has the following permissions for \"Authenticated users\":\r\n[Provided image showing Access Control Entries for the directory]\r\n\r\nThis allows a user to copy a file to a new directory. (Not that this does NOT apply to default Windows directories like C:\\Windows or C:\\Program Files etc.)\r\nAn organisation might put white listed software under C:\\software, or a user might put software on the D-drive because (s)he is running out of space on their C-drive.\r\nBecause the service path is unquoted, Windows will look for an executable named that first part of the directory name.\r\nAnd an unprivileged user can search for this weakness by a couple of simple powershell commands, that are available to any user\r\n[Provided image of Powershell command and output showing the unquoted servicepath]\r\n\r\nHere is the log from Procmon as I restart the service:\r\n[Provided image from Procmon showing that it opens the executable the user put there, and not the service executable it was supposed to.]\r\n\r\n(The unprivileged user doesn't have access to restarting the service, but needs only to wait for the computer to restart for the service to start.)\r\nAs one can see in the image, first Windows looks for D:\\Programs\\DWA-171, and it's not found.\r\nThen it looks for an executable name D:\\Programs\\DWA-171.exe which it found, because the unprivileged user put it there.\r\n(The part after the space is now considered parameters/arguments to the executable, by Windows.)\r\nNow this means that since the service is configured to run as system, the executable is also run as system. And since the executable contains 2 simple commands to create a local user, and adding this user to the administrators group, the unprivileged user now has local administrator rights on the computer:\r\n[Provided image showing that the administrators group have been populated with a new formerly unprivileged user]"}],"ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#813349"}],"product_status":{"known_affected":["CSAFPID-4503ad88-39cd-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"D-Link Systems Inc.","product":{"name":"D-Link Systems Inc. Products","product_id":"CSAFPID-4503ad88-39cd-11f1-8422-122e2785dc9f"}}]}}