Headline
CVE-2019-5142: TALOS-2019-0931 || Cisco Talos Intelligence Group
An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various authenticated requests to trigger this vulnerability.
Summary
An exploitable command injection vulnerability exists in the hostname functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted entry to network configuration information can cause execution of arbitrary system commands, resulting in full control of the device. An attacker can send various authenticated requests to trigger this vulnerability.
Tested Versions
Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client version 1.13
Product URLs
http://www.moxa.com/product/AWK-3131A.htm
CVSSv3 Score
7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Details
The Moxa AWK-3131A Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client is a wireless networking appliance intended for use in industrial environments. The manufacturer specifically highlights automated materials handling and automated guided vehicles as target markets.
The Moxa AWK-3131A is susceptible to OS command Injection vulnerability due to improper filtering of data passed to and retrieved from the flash memory.
During configuration when making changes to “Device Name”(hostname) via web or telnet, the system needs to reboot in order to save the changes made. This is due to the fact that you can’t save anywhere else, except for /var (which in this case acts like /tmp). Therefore, in order to make the changes persistent, the system saves the changes within the flash memory. Once the systems reboots, the binary “init” would retrieve the config file from the flash memory, gets the config information needed and at some point calls iw_system and passes the config information to another binary called “iw_ip_update” as shown below.
00413090 3c020042 lui $v0, 0x42
00413094 24449ce4 addiu $a0, $v0, -0x631c {data_419ce4, "%s -m %d -n -r"}
00413098 3c020042 lui $v0, 0x42
0041309c 24459cb8 addiu $a1, $v0, -0x6348 {data_419cb8, "/usr/sbin/iw_ip_update"}
004130a0 00003021 move $a2, $zero {0x0}
004130a4 8f82818c lw $v0, -0x7e74($gp) {iw_system}
004130a8 0040c821 move $t9, $v0
004130ac 0320f809 jalr $t9
004130b0 00000000 nop
004130b4 8fdc0010 lw $gp, 0x10($fp) {var_40} {0x475b40}
Once “iw_ip_update” gets the information needed, it calls “iw_system” to execute echo “%s” “%s” localhost >> /etc/hosts as you can see below.
004030b0 3c020040 lui $v0, 0x40
004030b4 24444008 addiu $a0, $v0, 0x4008 {0x404008, "echo 127.0.0.1 localhost > %s"}
004030b8 3c020040 lui $v0, 0x40
004030bc 24454028 addiu $a1, $v0, 0x4028 {data_404028, "/etc/hosts"}
004030c0 8f828084 lw $v0, -0x7f7c($gp) {iw_system}
004030c4 0040c821 move $t9, $v0
004030c8 0320f809 jalr $t9
004030cc 00000000 nop
004030d0 8fdc0010 lw $gp, 0x10($fp) {var_18}
004030d4 8fc2001c lw $v0, 0x1c($fp) {var_c}
004030d8 8c420004 lw $v0, 4($v0)
004030dc 00402021 move $a0, $v0
004030e0 8f8280b8 lw $v0, -0x7f48($gp) {iw_ipv4_string}
004030e4 0040c821 move $t9, $v0
004030e8 0320f809 jalr $t9
004030ec 00000000 nop
004030f0 8fdc0010 lw $gp, 0x10($fp) {var_18}
004030f4 00401821 move $v1, $v0
004030f8 8fc20018 lw $v0, 0x18($fp) {var_10}
004030fc 3c040040… li $a0, 0x404034 {"echo %s "%s" localhost >> %s"}
00403104 00602821 move $a1, $v1
00403108 00403021 move $a2, $v0
0040310c 3c020040 lui $v0, 0x40
00403110 24474028 addiu $a3, $v0, 0x4028 {data_404028, "/etc/hosts"}
00403114 8f828084 lw $v0, -0x7f7c($gp) {iw_system}
00403118 0040c821 move $t9, $v0
0040311c 0320f809 jalr $t9
00403120 00000000 nop
00403124 8fdc0010 lw $gp, 0x10($fp) {var_18} {0x41c8f0}
Timeline
2019-10-22 - Vendor Disclosure
2020-02-24 - Public Release
Discovered by Jared Rittle and Alexander Perez Palma of Cisco Talos.