Authored by Matthew Bergin, Josh Hardin | Site korelogic.com

Moxa TN-5900 versions 3.1 and below suffer from an issue where a user who has authenticated to the management web application is able to leverage a command injection vulnerability in the p12 processing code of the certificate management function web_CERMGMTUpload.

advisories | CVE-2021-46560

KL-001-2022-002: Moxa TN-5900 Post Authentication Command Injection Vulnerability

Title: Moxa TN-5900 Post Authentication Command Injection Vulnerability
Advisory ID: KL-001-2022-002
Publication Date: 2022.01.28
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2022-002.txt


1. Vulnerability Details

Affected Vendor: Moxa
Affected Product: TN-5900
Affected Version: v3.1 and prior
Platform: Moxa Linux
CWE Classification: CWE-78 Improper Neutralization of Special
Elements used in an OS Command
('OS Command Injection')
CVE ID: CVE-2021-46560


2. Vulnerability Description

A user who has authenticated to the management web application
is able to leverage a command injection vulnerability in the
p12 processing code of the certificate management function
web_CERMGMTUpload.


3. Technical Description

Following authentication, the webs_CERMGMTUpload API method
becomes accessible. This method takes a multi-part HTTP POST
request containing four parameters. The cer_pw parameter does
not properly neutralize special elements used in operating
system commands and therefore it is possible to include
encapsulated commands to be executed. In the request below,
the cer_pw parameter has been written such that when executed
by the operating system a zero byte file will appear in the
/tmp directory. See the Proof of Concept section.

The relevant pseudo-c for this API method is included below. The
websGetVar function is used to retrieve the cer_pw parameter and
copies the value into the pass variable. The opcode (mgmtmode)
is then compared to the number 2 and when true will prepare a
command to be passed to system using the sprintf function. When
preparing this command, the pass variable (cer_pw) is included
without prior first sanitizing the user input.

void web_CERMGMTUpload(longlong *param_1,undefined8 param_2,undefined8 param_3) {
...
__nptr = websGetVar(param_1,"mgmtmode",&DAT_120064f68);
opcode = atoi(__nptr);
__s = websGetVar(param_1,"cer_file",&DAT_120063dd0);
local_338 = websGetVar(param_1,"cer_name",&DAT_120063dd0);
if ((*local_338 == '