Talos IntelligenceTALOS-2019-0929Moxa AWK-3131A iw_webs DecryptScriptFile file name Command Injection Vulnerability
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.9%
Summary
An exploitable command injection vulnerability exists in the iw_webs functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted diagnostic script file name can cause user input to be reflected in a subsequent iw_system call, resulting in remote control over the device. An attacker can send commands while authenticated as a low privilege user to trigger this vulnerability.
Tested Version
Moxa AWK-3131A firmware version 1.13
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78: Improper Neutralization of Special Elements used in an OS Command (βOS Command Injectionβ)
Details
The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. It is designed to provide wireless communication capabilities to the environments in which it is deployed. Communication with the device is possible using HTTP, Telnet, and SSH.
An encrypted script file is used for diagnostics of the Moxa AWK-3131A. This script file name is passed into iw_system which is a thin veil for a system call. By not escaping the insertion, or filtering out special characters the file name can be forced to be executed prior to the decryption process.
This can be seen in the disassembly below: decryptScriptFile: 0 @ 00457de8 va_list arg_0 = arg1 1 @ 00457dec va_list arg_4 = arg2 2 @ 00457df0 int32_t var_10c = 0 3 @ 00457df4 int32_t var_110 = 0 4 @ 00457e00 va_list $a1 = arg_0 5 @ 00457e10 iw_system(format_string: βopenssl aes-256-cbc -d -k moxaiwβ¦β, args_for_format: $a1) 6 @ 00457e24 va_list $a1_1 = arg_0 7 @ 00457e30 iw_system(format_string: βrm β%sββ, args_for_format: $a1_1) 8 @ 00457e3c va_list $a0 = arg_4 9 @ 00457e50 $v0 = fopen($a0, βrβ) 10 @ 00457e5c int32_t var_10c_1 = $v0 11 @ 00457e60 int32_t $v0_1 = var_10c_1 12 @ 00457e64 if ($v0_1 != 0) then 13 @ 0x457ea4 else 19 @ 0x457e84
Timeline
2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release
Related
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
65.9%