Moxa AWK-3131A multiple iw_* utilities Use of Hard-coded Credentials Vulnerability

2020-02-24T00:00:00
ID TALOS-2019-0928
Type talos
Reporter Talos Intelligence
Modified 2020-02-24T00:00:00

Description

Talos Vulnerability Report

TALOS-2019-0928

Moxa AWK-3131A multiple iw_* utilities Use of Hard-coded Credentials Vulnerability

February 24, 2020
CVE Number

CVE-2019-5139

Summary

An exploitable use of hard-coded credentials vulnerability exists in multiple iw_* utilities of the Moxa AWK-3131A firmware version 1.13. The device operating system contains an undocumented encryption password, allowing for the creation of custom diagnostic scripts.

Tested Versions

Moxa AWK-3131A Firmware version 1.13

Product URLs

<http://www.moxa.com/product/AWK-3131A.htm>

CVSSv3 Score

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-798: Use of Hard-coded Credentials

Details

The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.

A hard coded password (moxaiwroot) is used while decrypting any diagnostic scripts uploaded through the device’s troubleshooting portal. With this password it is possible to create custom diagnostic scripts to run on the device.

Disassembly for each of the four locations can be found below:

iw_troubleshoot

...
00402a38  8fdc0018   lw      $gp, 0x18($fp) {var_c8}
00402a3c  3c020040   lui     $v0, 0x40
00402a40  24444fe4   addiu   $a0, $v0, 0x4fe4  {0x404fe4, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s%s"}
00402a44  3c020040   lui     $v0, 0x40
00402a48  24454fd0   addiu   $a1, $v0, 0x4fd0  {0x404fd0, "/var/ts_zip_result"}
00402a4c  3c020040   lui     $v0, 0x40
00402a50  24464f90   addiu   $a2, $v0, 0x4f90  {0x404f90, "/var/"}
00402a54  8fc70100   lw      $a3, 0x100($fp) {arg6}
00402a58  8f828050   lw      $v0, -0x7fb0($gp)  {iw_system_quiet}
00402a5c  0040c821   move    $t9, $v0
00402a60  0320f809   jalr    $t9

There is a second location in iw_troubleshoot where the password is used: … 00402ee0 8fdc0020 lw $gp, 0x20($fp) {var_e48} 00402ee4 8fc20e78 lw $v0, 0xe78($fp) {arg4} 00402ee8 8c420000 lw $v0, ($v0) 00402eec 8fc30e6c lw $v1, 0xe6c($fp) {arg_4} 00402ef0 afa30010 sw $v1, 0x10($sp) {var_e58} 00402ef4 8fc30e70 lw $v1, 0xe70($fp) {arg_8} 00402ef8 afa30014 sw $v1, 0x14($sp) {var_e54} 00402efc 27c3003c addiu $v1, $fp, 0x3c {var_e2c} 00402f00 afa30018 sw $v1 {var_e2c}, 0x18($sp) {var_e50} 00402f04 3c030040 lui $v1, 0x40 00402f08 246450cc addiu $a0, $v1, 0x50cc {0x4050cc, “openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %sTS_%d_%s_%s_%s.aes”} 00402f0c 3c030040 lui $v1, 0x40 00402f10 24654fd0 addiu $a1, $v1, 0x4fd0 {0x404fd0, “/var/ts_zip_result”} 00402f14 3c030040 lui $v1, 0x40 00402f18 24664f90 addiu $a2, $v1, 0x4f90 {0x404f90, “/var/”} 00402f1c 00403821 move $a3, $v0 00402f20 8f828050 lw $v0, -0x7fb0($gp) {iw_system_quiet} 00402f24 0040c821 move $t9, $v0 00402f28 0320f809 jalr $t9 00402f2c 00000000 nop

iw_onekey

...
00401aec  8fdc0010   lw      $gp, 0x10($fp) {var_10}
00401af0  3c020040   lui     $v0, 0x40
00401af4  24442954   addiu   $a0, $v0, 0x2954  {0x402954, "openssl aes-256-cbc -k moxaiwroot -salt -in %s -out %s"}
00401af8  3c020040   lui     $v0, 0x40
00401afc  24452944   addiu   $a1, $v0, 0x2944  {0x402944, "/var/rdinfo.zip"}
00401b00  3c020040   lui     $v0, 0x40
00401b04  2446298c   addiu   $a2, $v0, 0x298c  {0x40298c, "/var/rdinfo.aes"}
00401b08  8f828048   lw      $v0, -0x7fb8($gp)  {iw_system_quiet}
00401b0c  0040c821   move    $t9, $v0
00401b10  0320f809   jalr    $t9
00401b14  00000000   nop    
...

iw_webs

00457dcc  27bdfed8   addiu   $sp, $sp, -0x128
00457dd0  afbf0124   sw      $ra, 0x124($sp) {__saved_$ra}
00457dd4  afbe0120   sw      $fp, 0x120($sp) {__saved_$fp}
00457dd8  03a0f021   move    $fp, $sp {var_128}
00457ddc  3c1c004d…  li      $gp, 0x4cb8f0
00457de4  afbc0010   sw      $gp, 0x10($sp) {var_118}  {_gp}
00457de8  afc40128   sw      $a0, 0x128($fp) {arg_0}
00457dec  afc5012c   sw      $a1, 0x12c($fp) {arg_4}
00457df0  afc0001c   sw      $zero, 0x1c($fp) {var_10c}  {0x0}
00457df4  afc00018   sw      $zero, 0x18($fp) {var_110}  {0x0}
00457df8  3c020047   lui     $v0, 0x47
00457dfc  244416e4   addiu   $a0, $v0, 0x16e4  {0x4716e4, "openssl aes-256-cbc -d -k moxaiwroot -salt -in \"%s\" -out \"%s\""}
00457e00  8fc50128   lw      $a1, 0x128($fp) {arg_0}
00457e04  8fc6012c   lw      $a2, 0x12c($fp) {arg_4}
00457e08  8f828764   lw      $v0, -0x789c($gp)  {iw_system}
00457e0c  0040c821   move    $t9, $v0
00457e10  0320f809   jalr    $t9
00457e14  00000000   nop     
...

Timeline

2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release

Credit

Discovered by Patrick DeSantis, Carl Hurd, and Jared Rittle of Cisco Talos.


Vulnerability Reports Next Report

TALOS-2019-0929

Previous Report

TALOS-2019-0927