Talos Vulnerability Report

TALOS-2019-0931

Moxa AWK-3131A WAP Hostname Command Injection Vulnerability

February 24, 2020
CVE Number

CVE-2019-5142

Summary

An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various authenticated requests to trigger this vulnerability.

Tested Versions

Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client version 1.13

Product URLs

http://www.moxa.com/product/AWK-3131A.htm

CVSSv3 Score

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Details

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. The manufacturer specifically highlights automated materials handling and automated guided vehicles as target markets.

The Moxa AWK-3131A is susceptible to OS command Injection vulnerability due to improper filtering of data passed to and retrieved from the flash memory.

During configuration when making changes to "Device Name"(hostname) via web or telnet, the system needs to reboot in order to save the changes made. This is due to the fact that you can't save anywhere else, except for /var (which in this case acts like /tmp). Therefore, in order to make the changes persistent, the system saves the changes within the flash memory. Once the systems reboots, the binary "init" would retrieve the config file from the flash memory, gets the config information needed and at some point calls iw_system and passes the config information to another binary called "iw_ip_update" as shown below.

00413090  3c020042   lui     $v0, 0x42
00413094  24449ce4   addiu   $a0, $v0, -0x631c  {data_419ce4, "%s -m %d -n -r"}
00413098  3c020042   lui     $v0, 0x42
0041309c  24459cb8   addiu   $a1, $v0, -0x6348  {data_419cb8, "/usr/sbin/iw_ip_update"}
004130a0  00003021   move    $a2, $zero  {0x0}
004130a4  8f82818c   lw      $v0, -0x7e74($gp)  {iw_system}
004130a8  0040c821   move    $t9, $v0
004130ac  0320f809   jalr    $t9
004130b0  00000000   nop
004130b4  8fdc0010   lw      $gp, 0x10($fp) {var_40}  {0x475b40}

Once "iw_ip_update" gets the information needed, it calls "iw_system" to execute echo "%s" "%s" localhost >> /etc/hosts as you can see below.

004030b0  3c020040   lui     $v0, 0x40
004030b4  24444008   addiu   $a0, $v0, 0x4008  {0x404008, "echo 127.0.0.1 localhost > %s"}
004030b8  3c020040   lui     $v0, 0x40
004030bc  24454028   addiu   $a1, $v0, 0x4028  {data_404028, "/etc/hosts"}
004030c0  8f828084   lw      $v0, -0x7f7c($gp)  {iw_system}
004030c4  0040c821   move    $t9, $v0
004030c8  0320f809   jalr    $t9
004030cc  00000000   nop
004030d0  8fdc0010   lw      $gp, 0x10($fp) {var_18}
004030d4  8fc2001c   lw      $v0, 0x1c($fp) {var_c}
004030d8  8c420004   lw      $v0, 4($v0)
004030dc  00402021   move    $a0, $v0
004030e0  8f8280b8   lw      $v0, -0x7f48($gp)  {iw_ipv4_string}
004030e4  0040c821   move    $t9, $v0
004030e8  0320f809   jalr    $t9
004030ec  00000000   nop
004030f0  8fdc0010   lw      $gp, 0x10($fp) {var_18}
004030f4  00401821   move    $v1, $v0
004030f8  8fc20018   lw      $v0, 0x18($fp) {var_10}
004030fc  3c040040…  li      $a0, 0x404034  {"echo %s "%s" localhost >> %s"}
00403104  00602821   move    $a1, $v1
00403108  00403021   move    $a2, $v0
0040310c  3c020040   lui     $v0, 0x40
00403110  24474028   addiu   $a3, $v0, 0x4028  {data_404028, "/etc/hosts"}
00403114  8f828084   lw      $v0, -0x7f7c($gp)  {iw_system}
00403118  0040c821   move    $t9, $v0
0040311c  0320f809   jalr    $t9
00403120  00000000   nop
00403124  8fdc0010   lw      $gp, 0x10($fp) {var_18}  {0x41c8f0}

Timeline

2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release

Credit

Discovered by Jared Rittle and Alexander Perez Palma of Cisco Talos.