Tuesday, May 28, 2013

MML Injections

In a recent penetration test we came across a Huawei device that used a Tomcat frontend to send certain parameters to a separate interface or to the command line. At the time we were not sure where the parameters were being sent, but it did seem to give strange returns when playing around with it. Upon further inspection we noticed an error code commented within the page when an error was generated.

After a bit of googlin’ we discovered it was Man-Machine language (MML). According to the wikipedia page:

A man-machine language or MML is a specification language. MML typically are defined to standardize the interfaces for managing a telecommunications or network device from a console.”


“Man-Machine Language (MML) is the industry standard command line language used to manage telecommunications network elements.”

We won’t be getting into the technical stuff on MML and TL1, there is already a lot of information out there on it. We will just be focusing on web portals that use parameters to feed into a query. Essentially our attack was an injection attack. We had a predefined command with our supplied value inserted into one of the properties and the command was run. This may be common on quite a few telecom devices with a web frontend.

A simple query may look like: 

Function{ PARAM1=”Value”, PARAM2=”$user_supplied_value”, PARAM3=”predefinedValue” }

Let’s say we are able to specify the value for ‘value2’ and the other values are already set and we want to redefine the value for ‘PARAM3’ our input may look like:

Anything”, PARAM3=”our new value”};

This will overwrite the PARAM3 value with ours, the semicolon acts as a comment to comment out the remaining part of the query containing the initial value for PARAM3. 

Unfortunately it is not currently possible to redefine a value if it is declared before our input. This will generate an error stating duplicate values exist. 

Another trick that can be used is to escape prefixes to our supplied value is to use a colon(:) this can be used to specify multiple values for an input.

Let’s say the following query has a prefix on our value:

Function{ PARAM1=”Value”, PARAM2=”PREFIX_$user_supplied_value”, PARAM3=”predefinedValue” }

We could supply the following to escape the prefix:

Anything” : “noPrefix

This will supply the extra value without a prefix.

So that’s it for now, hopefully this helps someone out there, please feel free to add extra info or other attack methods in the discussion.

Cheers, Charlton

No comments: