CVE-2022-32429

Authentication Bypass and Remote Code Execution on MSNSwitch firmware MNT.2408

Affected Product:

The affected product is the MSNSwitch Internet-enabled power strip running firmware version MNT.2408. It is unknown if any previous versions are affected.

Vulnerability Type:

Authentication Bypass, Command Execution

Root Cause:

The vulnerability is an authentication bypass which allows the full configuration of the unit to be downloaded. The credentials obtained here can then be used via a local subnet vulnerability to obtain a full root shell on the device.

The authentication bypass is caused by a routing misconfiguration in the embedded "goahead" web browser. A trailing forward slash is omitted when the route for the cgi-bin directory is defined. This forward slash is present when the path is defined for authentication purposes. This misconfiguration causes URLs of the form http://{TARGET}:{PORT}/cgi-binANYSTRINGHERE to access the /cgi-bin/ directory without requiring authentication.

For instance, the device settings can be accessed at the URL: http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh

With credentials in hand, it is then possible to exploit a command injection flaw in the /cgi-bin/upgrade.cgi script to execute arbitrary commands on the device. This flaw is caused by insufficient sanitization of a user specified field.

Impact:

An attacker can remotely obtain the access credentials for the device itself as well as for other services that the device may be connected to. If configured, this can include Google accounts, accounts for various dynamic DNS providers, other email accounts and Skype/SMS account information. In addition, the attacker will have control over the device itself, including the ability to power cycle connected devices.

The command execution vulnerability is less significant, as it requires the attacker to be on the same subnet as the device. However, if an attacker is in that position, they can obtain full root shell access.

POC Code:

CVE-2022-32429-POC.py