Talos Vulnerability Report

TALOS-2019-0929

Moxa AWK-3131A iw_webs DecryptScriptFile file name Command Injection Vulnerability

February 24, 2020
CVE Number

CVE-2019-5140

Summary

An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

Tested Version

Moxa AWK-3131A firmware version 1.13

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Details

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

An encrypted script file is used for diagnostics of the Moxa AWK-3131A. This script file name is passed into iw_system which is a thin veil for a system call. By not escaping the insertion, or filtering out special characters the file name can be forced to be executed prior to the decryption process.

This can be seen in the disassembly below:

decryptScriptFile:
   0 @ 00457de8  va_list arg_0 = arg1
   1 @ 00457dec  va_list arg_4 = arg2
   2 @ 00457df0  int32_t var_10c = 0
   3 @ 00457df4  int32_t var_110 = 0
   4 @ 00457e00  va_list $a1 = arg_0
   5 @ 00457e10  iw_system(format_string: "openssl aes-256-cbc -d -k moxaiw…", args_for_format: $a1)
   6 @ 00457e24  va_list $a1_1 = arg_0
   7 @ 00457e30  iw_system(format_string: "rm "%s"", args_for_format: $a1_1)
   8 @ 00457e3c  va_list $a0 = arg_4
   9 @ 00457e50  $v0 = fopen($a0, "r")
  10 @ 00457e5c  int32_t var_10c_1 = $v0
  11 @ 00457e60  int32_t $v0_1 = var_10c_1
  12 @ 00457e64  if ($v0_1 != 0) then 13 @ 0x457ea4 else 19 @ 0x457e84

Timeline

2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release

Credit

Discovered by Carl Hurd and Jared Rittle of Cisco Talos.