MRF Web Panel 9.0.1 OS Command Injection
Posted on 30 January 2017
Title: MRF Web Panel OS Command Injection Vendor: Radisys Vendor Homepage: http://www.radisys.com Product: MRF Web Panel (SWMS) Version: 9.0.1 CVE: CVE-2016-10043 CWE: CWE-78 Risk Level: High Discovery: Filippos Mastrogiannis, Loukas Alkis & Dimitrios Maragkos COSMOTE (OTE Group) Information & Network Security -------------------------------------------------------------------------------------- Vulnerability Details: The MRF Web Administration Panel (SWMS) is vulnerable to OS Command Injection attacks. Affected parameter: MSM_MACRO_NAME (POST parameter) Affected file: ms.cgi (/swms/ms.cgi) Verified Affected Operation: Show Fatal Error and Log Package Configuration It is possible to use the pipe character (|) to inject arbitrary OS commands and retrieve the output in the application's responses. Proof Of Concept: The POST parameter MSM_MACRO_NAME has been injected with the following payload: Show_Fatal_Error_Configuration|||a #' |cat /etc/passwd||a #|" |||a # As a result the attacker receives the result of the command in the response Vulnerability Impact: Application's own data and functionality or the web server can be compromised due to OS command injection vulnerabilities. It may also be possible to use the server as a platform for attacks against other systems. Due to the weak session management mechanism, if there is a valid admin session token, attackers could bruteforce it and execute arbitrary and dangerous commands to the operating system without any authentication. Disclaimer: The responsible disclosure policy has been followed
