The administration console of the Moog EXO Series EXVF5C-2 and EXVP7C2-3 units features a ‘statusbroadcast’ command that can spawn a given process repeatedly at a certain time interval as ‘root’. One of the limitations of this feature is that it only takes a path to a binary without arguments; however, this can be circumvented using special shell variables, such as ‘${IFS}’. As a result, an attacker can execute arbitrary commands as ‘root’ on the units.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24054
Reference (s):
- https://ioac.tv/3hy1xu6
- https://ioactive.com/moog-exo-series-multiple-vulnerabilities/