Talos Vulnerability Report

TALOS-2019-0928

Moxa AWK-3131A multiple iw_* utilities Use of Hard-coded Credentials Vulnerability

February 24, 2020
CVE Number

CVE-2019-5139

Summary

An exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.

Tested Versions

Moxa AWK-3131A Firmware version 1.13

Product URLs

http://www.moxa.com/product/AWK-3131A.htm

CVSSv3 Score

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-798: Use of Hard-coded Credentials

Details

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

A hard coded password (moxaiwroot) is used while decrypting any diagnostic scripts uploaded through the device's troubleshooting portal. With this password it is possible to create custom diagnostic scripts to run on the device.

Disassembly for each of the four locations can be found below:

iw_troubleshoot

...
00402a38  8fdc0018   lw      $gp, 0x18($fp) {var_c8}
00402a3c  3c020040   lui     $v0, 0x40
00402a40  24444fe4   addiu   $a0, $v0, 0x4fe4  {0x404fe4, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s%s"}
00402a44  3c020040   lui     $v0, 0x40
00402a48  24454fd0   addiu   $a1, $v0, 0x4fd0  {0x404fd0, "/var/ts_zip_result"}
00402a4c  3c020040   lui     $v0, 0x40
00402a50  24464f90   addiu   $a2, $v0, 0x4f90  {0x404f90, "/var/"}
00402a54  8fc70100   lw      $a3, 0x100($fp) {arg6}
00402a58  8f828050   lw      $v0, -0x7fb0($gp)  {iw_system_quiet}
00402a5c  0040c821   move    $t9, $v0
00402a60  0320f809   jalr    $t9

There is a second location in iw_troubleshoot where the password is used:

...
00402ee0  8fdc0020   lw      $gp, 0x20($fp) {var_e48}
00402ee4  8fc20e78   lw      $v0, 0xe78($fp) {arg4}
00402ee8  8c420000   lw      $v0, ($v0)
00402eec  8fc30e6c   lw      $v1, 0xe6c($fp) {arg_4}
00402ef0  afa30010   sw      $v1, 0x10($sp) {var_e58}
00402ef4  8fc30e70   lw      $v1, 0xe70($fp) {arg_8}
00402ef8  afa30014   sw      $v1, 0x14($sp) {var_e54}
00402efc  27c3003c   addiu   $v1, $fp, 0x3c {var_e2c}
00402f00  afa30018   sw      $v1 {var_e2c}, 0x18($sp) {var_e50}
00402f04  3c030040   lui     $v1, 0x40
00402f08  246450cc   addiu   $a0, $v1, 0x50cc  {0x4050cc, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %sTS_%d_%s_%s_%s.aes"}
00402f0c  3c030040   lui     $v1, 0x40
00402f10  24654fd0   addiu   $a1, $v1, 0x4fd0  {0x404fd0, "/var/ts_zip_result"}
00402f14  3c030040   lui     $v1, 0x40
00402f18  24664f90   addiu   $a2, $v1, 0x4f90  {0x404f90, "/var/"}
00402f1c  00403821   move    $a3, $v0
00402f20  8f828050   lw      $v0, -0x7fb0($gp)  {iw_system_quiet}
00402f24  0040c821   move    $t9, $v0
00402f28  0320f809   jalr    $t9
00402f2c  00000000   nop     
...

iw_onekey

...
00401aec  8fdc0010   lw      $gp, 0x10($fp) {var_10}
00401af0  3c020040   lui     $v0, 0x40
00401af4  24442954   addiu   $a0, $v0, 0x2954  {0x402954, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s"}
00401af8  3c020040   lui     $v0, 0x40
00401afc  24452944   addiu   $a1, $v0, 0x2944  {0x402944, "/var/rdinfo.zip"}
00401b00  3c020040   lui     $v0, 0x40
00401b04  2446298c   addiu   $a2, $v0, 0x298c  {0x40298c, "/var/rdinfo.aes"}
00401b08  8f828048   lw      $v0, -0x7fb8($gp)  {iw_system_quiet}
00401b0c  0040c821   move    $t9, $v0
00401b10  0320f809   jalr    $t9
00401b14  00000000   nop    
... 

iw_webs

00457dcc  27bdfed8   addiu   $sp, $sp, -0x128
00457dd0  afbf0124   sw      $ra, 0x124($sp) {__saved_$ra}
00457dd4  afbe0120   sw      $fp, 0x120($sp) {__saved_$fp}
00457dd8  03a0f021   move    $fp, $sp {var_128}
00457ddc  3c1c004d…  li      $gp, 0x4cb8f0
00457de4  afbc0010   sw      $gp, 0x10($sp) {var_118}  {_gp}
00457de8  afc40128   sw      $a0, 0x128($fp) {arg_0}
00457dec  afc5012c   sw      $a1, 0x12c($fp) {arg_4}
00457df0  afc0001c   sw      $zero, 0x1c($fp) {var_10c}  {0x0}
00457df4  afc00018   sw      $zero, 0x18($fp) {var_110}  {0x0}
00457df8  3c020047   lui     $v0, 0x47
00457dfc  244416e4   addiu   $a0, $v0, 0x16e4  {0x4716e4, "openssl aes-256-cbc -d -k moxaiwroot -salt -in \"%s\" -out \"%s\""}
00457e00  8fc50128   lw      $a1, 0x128($fp) {arg_0}
00457e04  8fc6012c   lw      $a2, 0x12c($fp) {arg_4}
00457e08  8f828764   lw      $v0, -0x789c($gp)  {iw_system}
00457e0c  0040c821   move    $t9, $v0
00457e10  0320f809   jalr    $t9
00457e14  00000000   nop     
...

Timeline

2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release

Credit

Discovered by Patrick DeSantis, Carl Hurd, and Jared Rittle of Cisco Talos.