Headline
CVE-2016-8718: TALOS-2016-0232 || Cisco Talos Intelligence Group
An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.
Summary
An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.
Tested Versions
Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1
Product URLs
http://www.moxa.com/product/AWK-3131A.htm
CVSSv3 Score
7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
An exploitable Cross-Site Request Forgery (CSRF) vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.
Successful exploitation of this vulnerability can enable an attacker to trick a legitimate user in to performing any action permitted by the device, including exploitation of unrelated vulnerabilities. For example, an attacker may use a CSRF attack to modify device settings or even take advantage of OS Command Injection vulnerabilities to execute operating system commands with root privileges.
Exploit Proof-of-Concept
The below will change the user’s password to a value determined by the attacker <html> <body> <form action="http://<device IP>/forms/webSetUserChgPwd" method="POST"> </form> </body> </html>
Alternatively, leveraging an OS Command Injection vulnerability in conjunction with CSRF, a client which attempts to render the below page will cause a root-level shell to be opened on the vulnerable device: <html>
<body> <form action="http://<device IP>/forms/webSetPingTrace" method="POST"> </form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Mitigation
To significantly mitigate risk of exploitation, disable the web application before the device is deployed.
Timeline
2016-11-14 - Vendor Disclosure
2017-04-10 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.