`Title: MRF Web Panel OS Command Injection
Vendor: Radisys
Vendor Homepage: http://www.radisys.com
Product: MRF Web Panel (SWMS)
Version: 9.0.1
CVE: CVE-2016-10043
CWE: CWE-78
Risk Level: High
Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
COSMOTE (OTE Group) Information & Network Security
--------------------------------------------------------------------------------------
Vulnerability Details:
The MRF Web Administration Panel (SWMS) is vulnerable to OS Command Injection
attacks.
Affected parameter: MSM_MACRO_NAME (POST parameter)
Affected file: ms.cgi (/swms/ms.cgi)
Verified Affected Operation: Show Fatal Error and Log Package Configuration
It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses.
Proof Of Concept:
The POST parameter MSM_MACRO_NAME has been injected with the following
payload: Show_Fatal_Error_Configuration|||a #' |cat /etc/passwd||a #|" |||a #
As a result the attacker receives the result of the command in the response
Vulnerability Impact:
Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems. Due to the weak session management
mechanism, if there is a valid admin session token, attackers could bruteforce it
and execute arbitrary and dangerous commands to the operating system without any
authentication.
Disclaimer:
The responsible disclosure policy has been followed
`