MICI NetFax Server Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in MICI Network Co., Ltd's NetFax Server, specifically in versions prior to 3.0.1.0. This vulnerability allows authenticated users to inject commands through unsanitized input in the application's ping functionality, accessed via the /test.php endpoint. Exploitation of this vulnerability leads to remote code execution on the server with root privileges.

Impact

Exploitation of this vulnerability allows for command injection, resulting in remote code execution on the server as the root user.

Reproduction

The vulnerability can be reproduced by first logging into the NetFax Server application using the default administrative credentials, which are disclosed in cleartext during the initial setup. After logging in, access the configuration file through a GET request to '/config.php' to retrieve the SMTP password in cleartext. Then, modify the configuration file to include a command payload, such as a reverse shell command using the 'nc' binary. Finally, execute the system test function at the '/test.php' endpoint, which will run the injected command and establish a reverse shell connection back to the attacker.

Remediation

The vendor has stated that these vulnerabilities will not be addressed. However, it is recommended to change default credentials, avoid exposing the server to external networks, and review the risks of the device's presence on internal networks.