CVE-2019-5138
An exploitable command injection vulnerability exists in encrypted diagnostic script functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file can cause arbitrary busybox commands to be executed, resulting in remote control over the device. An attacker can send diagnostic while authenticated as a low privilege user to trigger this vulnerability.
Moxa AWK-3131A Firmware version 1.13
http://www.moxa.com/product/AWK-3131A.htm
9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.
An encrypted script file is used for diagnostics of the Moxa AWK-3131A. This script file is encrypted with a hardcoded password openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s%s. These encrypted files can be uploaded to the webportal for “advanced diagnostics” of the device.
The script file format itself is somewhat custom and is a very barebones command set. For the purposes of explaining the format, assume that # designates a comment (not true in the script file itself)
MOXA # This must be present in the file as a magic header
This line is ignored # Lines that do not contain a reserved word are ignored
period: 10; # This is the start of a loop which starts every 10 seconds, period is the reserved word and this is required for successful parsing of the format
> arp # > is the reserved word for executing
total: 20; # This is the end of the loop for a total of 2 executions
Results of script are zip’d and then encrypted prior to be presented to the user. The same openssl command can be used with the -d flag in order to decrypt the file.
The script contains a very limited command set including: - free - arp - route - iwconfig - ipconfig - ps - dmesg - brctl - athstats - 80211debug - athdebug - tcpdump - killall tcpdump - netstat - cat
These commands are fully functional and can take arguments to perform any action that could be done via the command line. These commands are executed as root so cat /etc/passwd as well as tcpdump -i br0 -w /dev/null -W 1 -G 1 -z '/sbin/reboot' are specifically interesting usages of this functionality.
2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release
Discovered by Carl Hurd and Jared Rittle of Cisco Talos.