### Summary
An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them.
### Tested Versions
Moxa EDR-810 V4.1 build 17030317
### Product URLs
https://www.moxa.com/product/EDR-810.htm
### CVSSv3 Score
3.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
### CWE
CWE-216 - Weak Cryptography for Passwords
### Details
After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password.
### Exploit Proof-of-Concept
In the Cookie there is a PASSWORD= parameter. This parameter contain a MD5 of the users password.
```
GET /overview.asp HTTP/1.1
Host: 192.168.127.254
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.127.254/home.asp?action=go
Cookie: sysnotify_support=yes; sysnotify_loginStatus=initial; lasttime=1506954769474; NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0; Auto-Logout_Time=3600000; sessionID=2933537563
Connection: keep-alive
```
### Timeline
* 2017-11-15 - Vendor Disclosure
* 2017-11-19 - Vendor Acknowledged
* 2017-12-25 - Vendor provided timeline for fix (Feb 2018)
* 2018-01-04 - Timeline pushed to mid-March per vendor
* 2018-03-24 - Talos follow up with vendor for release timeline
* 2018-03-26 - Timeline pushed to 4/13/18 per vendor
* 2018-04-12 - Vendor patched & published new firmware on website
* 2018-04-13 - Public Release
Summary
An exploitable Weak Cryptography for Passwords vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. An attacker could intercept weakly encrypted passwords and could brute force them.
Tested Versions
Moxa EDR-810 V4.1 build 17030317
Product URLs
https://www.moxa.com/product/EDR-810.htm
CVSSv3 Score
3.5 - CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CWE
CWE-216 - Weak Cryptography for Passwords
Details
After the initial login, each authenticated request sends a HTTP packet with a MD5 hash of the password. This hash is not salted and can be cracked, revealing the device's password.
Exploit Proof-of-Concept
In the Cookie there is a PASSWORD= parameter. This parameter contain a MD5 of the users password.
GET /overview.asp HTTP/1.1
Host: 192.168.127.254
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.127.254/home.asp?action=go
Cookie: sysnotify_support=yes; sysnotify_loginStatus=initial; lasttime=1506954769474; NAME=admin; PASSWORD=1cf17e0c60ed7ecb0977fdfc0e218c65; AUTHORITY=0; Auto-Logout_Time=3600000; sessionID=2933537563
Connection: keep-alive
Timeline
- 2017-11-15 - Vendor Disclosure
- 2017-11-19 - Vendor Acknowledged
- 2017-12-25 - Vendor provided timeline for fix (Feb 2018)
- 2018-01-04 - Timeline pushed to mid-March per vendor
- 2018-03-24 - Talos follow up with vendor for release timeline
- 2018-03-26 - Timeline pushed to 4/13/18 per vendor
- 2018-04-12 - Vendor patched & published new firmware on website
- 2018-04-13 - Public Release
京公网安备 11010502034610号
暂无评论