CVE-2016-8718
An exploitable Cross-Site Request Forgery vulnerability exists in the Web Application functionality of Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.
Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1
http://www.moxa.com/product/AWK-3131A.htm
7.5 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
An exploitable Cross-Site Request Forgery (CSRF) vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted form can trick a client into making an unintentional request to the web server which will be treated as an authentic request.
Successful exploitation of this vulnerability can enable an attacker to trick a legitimate user in to performing any action permitted by the device, including exploitation of unrelated vulnerabilities. For example, an attacker may use a CSRF attack to modify device settings or even take advantage of OS Command Injection vulnerabilities to execute operating system commands with root privileges.
The below will change the user’s password to a value determined by the attacker <html> <body> <form action="http://<device IP>/forms/webSetUserChgPwd" method="POST"> </form> </body> </html>
Alternatively, leveraging an OS Command Injection vulnerability in conjunction with CSRF, a client which attempts to render the below page will cause a root-level shell to be opened on the vulnerable device:
<html>
<body>
<form action="http://<device IP>/forms/webSetPingTrace" method="POST">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
To significantly mitigate risk of exploitation, disable the web application before the device is deployed.
2016-11-14 - Vendor Disclosure
2017-04-10 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.