MRF Web Panel 9.0.1 OS Command Injection

`Title: MRF Web Panel OS Command Injection  
Vendor: Radisys  
Vendor Homepage: http://www.radisys.com  
Product: MRF Web Panel (SWMS)   
Version: 9.0.1  
CVE: CVE-2016-10043  
CWE: CWE-78  
Risk Level: High  
  
Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos   
COSMOTE (OTE Group) Information & Network Security  
  
--------------------------------------------------------------------------------------  
  
Vulnerability Details:  
  
The MRF Web Administration Panel (SWMS) is vulnerable to OS Command Injection  
attacks.  
  
Affected parameter: MSM_MACRO_NAME (POST parameter)   
Affected file: ms.cgi (/swms/ms.cgi)  
Verified Affected Operation: Show Fatal Error and Log Package Configuration  
  
It is possible to use the pipe character (|) to inject arbitrary OS commands   
and retrieve the output in the application's responses.  
  
Proof Of Concept:  
  
The POST parameter MSM_MACRO_NAME has been injected with the following  
payload: Show_Fatal_Error_Configuration|||a #' |cat /etc/passwd||a #|" |||a #  
  
As a result the attacker receives the result of the command in the response  
  
Vulnerability Impact:  
  
Application's own data and functionality or the web server can be compromised due   
to OS command injection vulnerabilities. It may also be possible to use the server   
as a platform for attacks against other systems. Due to the weak session management   
mechanism, if there is a valid admin session token, attackers could bruteforce it   
and execute arbitrary and dangerous commands to the operating system without any   
authentication.  
  
Disclaimer:  
  
The responsible disclosure policy has been followed  
  
  
  
  
  
`