Microsoft Wireless Display Adapter V2:
Other releases have not been tested.
Microsoft Wireless Display Adapter (MsWDA) is a hardware device to "Share what’s on your tablet, laptop, or smartphone. All Miracast® enabled Windows 10 phones, tablets and laptops, including the Surface line up. Stream movies, view personal photos, or display a presentation on a big screen – all wirelessly." [1]
During our research we found a command-injection, broken access control and an "evil-twin" attack.
MsWDA uses Wifi-Direct for the Connection and Miracast for transmitting Video- and Audiodata. The Wifi-Connection between MsWDA and the Client is alwasy WPA2 encrypted. To setup the connection, MsWDA provides a well-known mechanism: Wi-Fi Protected Setup (WPS). MsWDA implements both push button configuration (PBC) and PIN configuration. Despite the original design and name, MsWDA offers PBC with the button virtually "pressed". A user simply connects. Regardless the authentication method used (PBC or PIN), a client is assigned to a so called "persistent group". A client in a persistent group does not have to re-authenticate on a new connection.
MThe attacker has to be connected to the MsWDA.Using the Webservice the Name of the MsWDA could be set in the parameter "NewDeviceName". Appending characters to escape command line scripts, the device gets into a boot loop. Therefore the conclusion is legit, there is a command injection. After several bricked MsWDAs we gave up.
To perform an Evil-Twin Attack, the Attacker has to be connected to the MsWDA attacked. He then offers an own Display Adapter Service with the same name like the MsWDA attacked. The user will only find the attackers name in the available connections and connect to the attackers Evil Twin. A replication service will stream the users data from the attackers device to the MsWDA attacked. Therefore the user will not be able to recognize the attack. Besides the ability to view streaming data, the attacker can use the established connection to access other services on the victims device, e. g. files if shared to trusted networks by the user.
/cgi-bin/msupload.sh
Parameter: NewDeviceName
http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a=b
⇒ show a device name with leading adapter_name=
http://IPaddress/cgi-bin/msupload.sh?Action=SetDeviceName&NewDeviceName=a%0D$(ls)%0D
⇒ bring Display Adapter into a bootloop
Always use PIN method for authentication. This does not require the attacker to have physical access, at least he needs the screen visible. According to the vendor, the command injection has been fixed in the firmware update July 2018.
| 2018/03/21 | vendor contacted |
| 2018/03/21 | initial vendor response |
| 2018/04/06 | vendor confirmation |
| 2018/04/20 | vendor informs about fixes planned |
| 2018/04/21 | feedback to the vendor on the fixes |
| 2018/05/17 | vendor provides timeline for the firmware fixes for July 10th |
| 2018/06/19 | vendor provides assigend CVE number |
| 2018/07/10 | vendor publishes Advisory and Firmware-Updates |
| 2018/07/30 | coordinated public disclosure |
All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera and w1n73r.de shall not be liable for any direct or indirect damages that might be caused by using this information.