Moxa AWK-3131A Web Application Ping Command Injection Vulnerability

Summary

An exploitable OS Command Injection vulnerability exists in the web application ‘ping’ functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An attacker can exploit this vulnerability remotely.

Tested Versions

Moxa AWK-3131A WAP Version 1.1 Build 15122211

Product URLs

<http://www.moxa.com/product/AWK-3131_Series.htm&gt;

CVSSv3 Score

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

The ping feature of the Moxa AWK-3131A WAP web application is vulnerable to OS command injection. No obfuscation or encoding is needed - it appears there is no filtering of user input. Entering an OS command that is preceded with a ; results in the command being executed by the OS with root permissions.

Exploit Proof-of-Concept (optional)

An authenticated user may obtain a remote shell with root privilages by entering the following in the ping input box:

; /bin/busybox telnetd -l/bin/sh -p9999

then telnet to port 9999. The attacker will be connected to a /bin/sh shell as the root user, without needing to enter any credentials.

Mitigation (optional)

Exploitation of the vulnerable parameter requires authentication to the web application. However, commands are executed by the operating system as the root user, negating any user-level privilege enforcement by the web application.

Timeline

2016-11-14 - Vendor Disclosure 2017-04-18 - Public Release