Talos Vulnerability Report

TALOS-2019-0930

Moxa AWK-3131A iw_webs iw_serverip Parameter Command Injection Vulnerability

February 24, 2020
CVE Number

CVE-2019-5141

Summary

An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.

Tested Versions

Moxa AWK-3131A Firmware version 1.13

Product URLs

http://www.moxa.com/product/AWK-3131A.htm

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Details

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

An encrypted script file is used to retrieve diagnostic information from the Moxa AWK-3131A. This script file has the option of saving and exporting results over TFTP to a server that can be specifed. The server is specified as a string within the same POST request. Since the string is used within the command line argument for tftp and is not escaped properly, command injection can occur within the IP address provided by the user.

This can be seen in the disassembly below:

checkTFTPSeverIsAlife:
00457f70  27bdfed0   addiu   $sp, $sp, -0x130
00457f74  afbf012c   sw      $ra, 0x12c($sp) {__saved_$ra}
00457f78  afbe0128   sw      $fp, 0x128($sp) {__saved_$fp}
00457f7c  03a0f021   move    $fp, $sp {var_130}
00457f80  3c1c004d…li      $gp, 0x4cb8f0
00457f88  afbc0018   sw      $gp, 0x18($sp) {var_118}  {_gp}
00457f8c  afc40130   sw      $a0, 0x130($fp) {arg_0}
00457f90  afc50134   sw      $a1, 0x134($fp) {arg_4}
00457f94  afc60138   sw      $a2, 0x138($fp) {arg_8}
00457f98  afc7013c   sw      $a3, 0x13c($fp) {arg_c}
00457f9c  afc00020   sw      $zero, 0x20($fp) {var_110}  {0x0}
00457fa0  afc00024   sw      $zero, 0x24($fp) {var_10c}  {0x0}
00457fa4  8fc20130   lw      $v0, 0x130($fp) {arg_0}
00457fa8  24430030   addiu   $v1, $v0, 0x30
00457fac  27c20028   addiu   $v0, $fp, 0x28 {var_108}
00457fb0  afa30010   sw      $v1, 0x10($sp) {var_120}
00457fb4  00402021   move    $a0, $v0 {var_108}
00457fb8  24050100   addiu   $a1, $zero, 0x100
00457fbc  3c020047   lui     $v0, 0x47
00457fc0  24461774   addiu   $a2, $v0, 0x1774  {0x471774, ""%s%s""}
00457fc4  3c020047   lui     $v0, 0x47
00457fc8  2447177c   addiu   $a3, $v0, 0x177c  {0x47177c, "/var/"}
00457fcc  8f828538   lw      $v0, -0x7ac8($gp)  {snprintf}
00457fd0  0040c821   move    $t9, $v0
00457fd4  0320f809   jalr    $t9
00457fd8  00000000   nop    
00457fdc  8fdc0018   lw      $gp, 0x18($fp) {var_118}
00457fe0  afc20024   sw      $v0, 0x24($fp) {var_10c_1}
00457fe4  8fc20024   lw      $v0, 0x24($fp) {var_10c_1}
00457fe8  27c30020   addiu   $v1, $fp, 0x20 {var_110}
00457fec  00621021   addu    $v0, $v1 {var_110}, $v0
00457ff0  a0400008   sb      $zero, 8($v0)  {0x0}
00457ff4  27c20028   addiu   $v0, $fp, 0x28 {var_108}
00457ff8  3c030047   lui     $v1, 0x47
00457ffc  24641784   addiu   $a0, $v1, 0x1784  {data_471784, "touch %s"}
00458000  00402821   move    $a1, $v0 {var_108}
00458004  8f828764   lw      $v0, -0x789c($gp)  {iw_system}
00458008  0040c821   move    $t9, $v0
0045800c  0320f809   jalr    $t9
00458010  00000000   nop    
00458014  8fdc0018   lw      $gp, 0x18($fp) {var_118}
00458018  8fc20130   lw      $v0, 0x130($fp) {arg_0}
0045801c  24420030   addiu   $v0, $v0, 0x30
00458020  3c030047…li      $v1, 0x4717c0  {"/var/TS_TFTP.tmp"}
00458028  afa30010   sw      $v1, 0x10($sp) {var_120_1}  {data_4717c0, "/var/TS_TFTP.tmp"}
0045802c  3c030047   lui     $v1, 0x47
00458030  24641790   addiu   $a0, $v1, 0x1790  {data_471790, "cd %s && tftp -p -r "%s" "%s" &&…"}
00458034  3c030047   lui     $v1, 0x47
00458038  2465177c   addiu   $a1, $v1, 0x177c  {0x47177c, "/var/"}
0045803c  00403021   move    $a2, $v0
00458040  8fc70134   lw      $a3, 0x134($fp) {arg_4}
00458044  8f828764   lw      $v0, -0x789c($gp)  {iw_system}
00458048  0040c821   move    $t9, $v0
0045804c  0320f809   jalr    $t9

Timeline

2019-10-22 - Vendor Disclosure
2020-02-20 - Public Release

Credit

Discovered by Carl Hurd and Jared Rittle of Cisco Talos.