In
a recent penetration test we came across a Huawei device that used a
Tomcat frontend to send certain parameters to a separate interface or
to the command line. At the time we were not sure where the parameters were
being sent, but it did seem to give strange returns when playing
around with it. Upon further inspection we noticed an error code
commented within the page when an error was generated.
After a bit of googlin’ we discovered it was Man-Machine language (MML). According to the wikipedia page:
“A man-machine
language or MML is
a specification language. MML typically are defined to standardize
the interfaces for managing a telecommunications or network device
from a console.”
“Man-Machine Language (MML) is the
industry standard command line language used to manage
telecommunications network elements.”
We won’t be getting into the
technical stuff on MML and TL1, there is already a lot of information
out there on it. We will just be focusing on web portals that use
parameters to feed into a query. Essentially our attack was an
injection attack. We had a predefined command with our supplied value
inserted into one of the properties and the command was run. This may
be common on quite a few telecom devices with a web frontend.
A simple query may look like:
Function{
PARAM1=”Value”, PARAM2=”$user_supplied_value”,
PARAM3=”predefinedValue” }
Let’s say we are able to specify the
value for ‘value2’ and the other values are already set and we
want to redefine the value for ‘PARAM3’ our input may look like:
Anything”,
PARAM3=”our new value”};
This will overwrite the PARAM3 value
with ours, the semicolon acts as a comment to comment out the remaining
part of the query containing the initial value for PARAM3.
Unfortunately it is not currently
possible to redefine a value if it is declared before our input. This
will generate an error stating duplicate values exist.
Another trick that can be used is to
escape prefixes to our supplied value is to use a colon(:) this can
be used to specify multiple values for an input.
Let’s say the following query has a
prefix on our value:
Function{
PARAM1=”Value”, PARAM2=”PREFIX_$user_supplied_value”,
PARAM3=”predefinedValue” }
We could supply the following to escape
the prefix:
Anything” :
“noPrefix
This will supply the extra value
without a prefix.
So that’s it for now, hopefully this
helps someone out there, please feel free to add extra info or other
attack methods in the discussion.
Cheers, Charlton