Headline
CVE-2016-8721: TALOS-2016-0235 || Cisco Talos Intelligence Group
An exploitable OS Command Injection vulnerability exists in the web application ‘ping’ functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An attacker can exploit this vulnerability remotely.
Summary
An exploitable OS Command Injection vulnerability exists in the web application ‘ping’ functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An attacker can exploit this vulnerability remotely.
Tested Versions
Moxa AWK-3131A WAP Version 1.1 Build 15122211
Product URLs
http://www.moxa.com/product/AWK-3131_Series.htm
CVSSv3 Score
9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Details
The ping feature of the Moxa AWK-3131A WAP web application is vulnerable to OS command injection. No obfuscation or encoding is needed - it appears there is no filtering of user input. Entering an OS command that is preceded with a ; results in the command being executed by the OS with root permissions.
Exploit Proof-of-Concept (optional)
An authenticated user may obtain a remote shell with root privilages by entering the following in the ping input box:
; /bin/busybox telnetd -l/bin/sh -p9999
then telnet to port 9999. The attacker will be connected to a /bin/sh shell as the root user, without needing to enter any credentials.
Mitigation (optional)
Exploitation of the vulnerable parameter requires authentication to the web application. However, commands are executed by the operating system as the root user, negating any user-level privilege enforcement by the web application.
Timeline
2016-11-14 - Vendor Disclosure 2017-04-18 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.