CVE-2019-5141
An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted iw_serverip parameter can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
Moxa AWK-3131A Firmware version 1.13
http://www.moxa.com/product/AWK-3131A.htm
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.
An encrypted script file is used to retrieve diagnostic information from the Moxa AWK-3131A. This script file has the option of saving and exporting results over TFTP to a server that can be specifed. The server is specified as a string within the same POST request. Since the string is used within the command line argument for tftp and is not escaped properly, command injection can occur within the IP address provided by the user.
This can be seen in the disassembly below:
checkTFTPSeverIsAlife:
00457f70 27bdfed0 addiu $sp, $sp, -0x130
00457f74 afbf012c sw $ra, 0x12c($sp) {__saved_$ra}
00457f78 afbe0128 sw $fp, 0x128($sp) {__saved_$fp}
00457f7c 03a0f021 move $fp, $sp {var_130}
00457f80 3c1c004d…li $gp, 0x4cb8f0
00457f88 afbc0018 sw $gp, 0x18($sp) {var_118} {_gp}
00457f8c afc40130 sw $a0, 0x130($fp) {arg_0}
00457f90 afc50134 sw $a1, 0x134($fp) {arg_4}
00457f94 afc60138 sw $a2, 0x138($fp) {arg_8}
00457f98 afc7013c sw $a3, 0x13c($fp) {arg_c}
00457f9c afc00020 sw $zero, 0x20($fp) {var_110} {0x0}
00457fa0 afc00024 sw $zero, 0x24($fp) {var_10c} {0x0}
00457fa4 8fc20130 lw $v0, 0x130($fp) {arg_0}
00457fa8 24430030 addiu $v1, $v0, 0x30
00457fac 27c20028 addiu $v0, $fp, 0x28 {var_108}
00457fb0 afa30010 sw $v1, 0x10($sp) {var_120}
00457fb4 00402021 move $a0, $v0 {var_108}
00457fb8 24050100 addiu $a1, $zero, 0x100
00457fbc 3c020047 lui $v0, 0x47
00457fc0 24461774 addiu $a2, $v0, 0x1774 {0x471774, ""%s%s""}
00457fc4 3c020047 lui $v0, 0x47
00457fc8 2447177c addiu $a3, $v0, 0x177c {0x47177c, "/var/"}
00457fcc 8f828538 lw $v0, -0x7ac8($gp) {snprintf}
00457fd0 0040c821 move $t9, $v0
00457fd4 0320f809 jalr $t9
00457fd8 00000000 nop
00457fdc 8fdc0018 lw $gp, 0x18($fp) {var_118}
00457fe0 afc20024 sw $v0, 0x24($fp) {var_10c_1}
00457fe4 8fc20024 lw $v0, 0x24($fp) {var_10c_1}
00457fe8 27c30020 addiu $v1, $fp, 0x20 {var_110}
00457fec 00621021 addu $v0, $v1 {var_110}, $v0
00457ff0 a0400008 sb $zero, 8($v0) {0x0}
00457ff4 27c20028 addiu $v0, $fp, 0x28 {var_108}
00457ff8 3c030047 lui $v1, 0x47
00457ffc 24641784 addiu $a0, $v1, 0x1784 {data_471784, "touch %s"}
00458000 00402821 move $a1, $v0 {var_108}
00458004 8f828764 lw $v0, -0x789c($gp) {iw_system}
00458008 0040c821 move $t9, $v0
0045800c 0320f809 jalr $t9
00458010 00000000 nop
00458014 8fdc0018 lw $gp, 0x18($fp) {var_118}
00458018 8fc20130 lw $v0, 0x130($fp) {arg_0}
0045801c 24420030 addiu $v0, $v0, 0x30
00458020 3c030047…li $v1, 0x4717c0 {"/var/TS_TFTP.tmp"}
00458028 afa30010 sw $v1, 0x10($sp) {var_120_1} {data_4717c0, "/var/TS_TFTP.tmp"}
0045802c 3c030047 lui $v1, 0x47
00458030 24641790 addiu $a0, $v1, 0x1790 {data_471790, "cd %s && tftp -p -r "%s" "%s" &&…"}
00458034 3c030047 lui $v1, 0x47
00458038 2465177c addiu $a1, $v1, 0x177c {0x47177c, "/var/"}
0045803c 00403021 move $a2, $v0
00458040 8fc70134 lw $a3, 0x134($fp) {arg_4}
00458044 8f828764 lw $v0, -0x789c($gp) {iw_system}
00458048 0040c821 move $t9, $v0
0045804c 0320f809 jalr $t9
2019-10-22 - Vendor Disclosure
2020-02-20 - Public Release
Discovered by Carl Hurd and Jared Rittle of Cisco Talos.