D-Link WiFi range extender vulnerability exposes DoS and command injection

The widely-used D-Link DAP-X1860 WiFi 6 range extender has a vulnerability that could expose it to denial of service (DoS) attacks and allow unauthorized remote command injections. Despite its popularity, as indicated by its availability on D-Link's website and numerous Amazon reviews, the company has yet to address this issue.

The flaw was discovered by a German research team, RedTeam, and is tracked as CVE-2023-45208. Although the team reached out to D-Link multiple times since the flaw's discovery in May 2023, there has been no response from the company.

This vulnerability centers around the network scanning feature of the DAP-X1860 extender, particularly its failure to correctly interpret SSIDs with a single tick (') in the name, treating it as a command-ending symbol.

Due to inadequate SSID sanitization, attackers can manipulate this loophole for malicious purposes. An attacker can create a misleadingly named WiFi network with a tick, causing connection attempts to the SSID to result in an "Error 500: Internal Server Error". Moreover, by adding an additional segment to the SSID containing a shell command, the attacker can deceive the extender into executing it.

Furthermore, every process on this extender, even those injected by external entities, operates with root permissions. This permits attackers to potentially explore other devices linked to the extender, further infiltrating the network. A key requirement for this kind of attack involves initiating a network scan on the victim's device, which can be achieved via a deauthentication attack. Multiple software tools can prompt death packets, causing the extender to sever its primary network connection and forcing the device to scan networks.