Anyway, recently found Unauthorized Command Injection vulnerability in WAGO PLC's web-based management software. Affected device is here (WAGO 750-8202 PFC200 CS 2ETH RS).
P.S: This is not related with CVE-2016-9362.
You would need following tools if you would like to analyze vulnerability by yourself;
- Burp Suite
- A Web Browser
- Binwalk
- Code Editor (My fav is Sublime Text, it's so lightweight and have good themes)
While playing with JSON payload sent to configtools.php endpoint, find out that it's possible to inject OS commands into "parameter" JSON value. Injected commands such as uname -a and id.
Results of executed commands.
Bingo! Easy and quick win against a dummy device web-based management software.
To confirm that critical vulnerability in latest version of firmware, simply downloaded the latest firmware from WAGO's web site, extracted it with binwalk (thanks authors of binwalk) and start to review source code.
In the source code, CallConfigtoolByJson function called to JSON request from browser which later call CallConfigtool function to process "parameter" value in JSON payload.
OK, commments and code fixes show that they found it internally (maybe?) and fixed it silently. Requested old firmwares but they didn't send me yet :)
Bingo! Easy and quick win against a dummy device web-based management software.
To confirm that critical vulnerability in latest version of firmware, simply downloaded the latest firmware from WAGO's web site, extracted it with binwalk (thanks authors of binwalk) and start to review source code.
In the source code, CallConfigtoolByJson function called to JSON request from browser which later call CallConfigtool function to process "parameter" value in JSON payload.
OK, commments and code fixes show that they found it internally (maybe?) and fixed it silently. Requested old firmwares but they didn't send me yet :)