An exploitable OS Command Injection vulnerability exists in the web application ‘ping’ functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An attacker can exploit this vulnerability remotely.
Moxa AWK-3131A WAP Version 1.1 Build 15122211
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
The ping feature of the Moxa AWK-3131A WAP web application is vulnerable to OS command injection. No obfuscation or encoding is needed - it appears there is no filtering of user input. Entering an OS command that is preceded with a ; results in the command being executed by the OS with root permissions.
An authenticated user may obtain a remote shell with root privilages by entering the following in the ping input box:
; /bin/busybox telnetd -l/bin/sh -p9999
then telnet to port 9999. The attacker will be connected to a /bin/sh shell as the root user, without needing to enter any credentials.
Exploitation of the vulnerable parameter requires authentication to the web application. However, commands are executed by the operating system as the root user, negating any user-level privilege enforcement by the web application.
2016-11-14 - Vendor Disclosure 2017-04-18 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.