Samuel Huntley

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.19 **Description** An issue was discovered that allows an attacker to execute XSS by injecting an XSS payload through the `iw board deviceName` parameter in the device name change functionality. This affects the ability of an administrator to securely change the device name. **Recommendations** For Moxa AWK-3121 version 1.19, as a temporary workaround, consider restricting access to the device name change functionality to minimize the risk of XSS injection through the `iw board deviceName` parameter. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered where the device enables an unencrypted TELNET service by default. This allows an attacker who has gained a Man-In-The-Middle (MITM) position to easily sniff the traffic between the device and the user. Additionally, an attacker can easily connect to the TELNET daemon using the default credentials if they have not been changed by the user. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling the TELNET service or changing the default credentials to prevent unauthorized access. As a temporary workaround, restrict access to the TELNET daemon until a more secure configuration or patch is available.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered in the Moxa AWK-3121 device, specifically in its certfile upload functionality, which allows an administrator to upload a certificate file for connecting to the wireless network. However, this functionality also enables an attacker to execute commands on the device. The `iw privatePass` parameter in the POST request is susceptible to command injection. By crafting a packet containing shell metacharacters, an attacker can execute the attack. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling the certfile upload functionality until a patch is available to prevent command injection attacks. Restrict access to the `iw privatePass` parameter in the POST request to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** The issue allows an attacker to execute commands on the device due to insufficient argument validation in a command. This can be exploited by a remote attacker to execute arbitrary commands with root privileges using a specially crafted `iw filename` parameter. The vulnerability is related to a functionality that allows administrators to run scripts on the device for troubleshooting purposes. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling the functionality that allows running scripts on the device until a patch is available. Restrict access to the `iw filename` parameter to minimize the risk of exploitation. Avoid using the `iw filename` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered that allows an attacker to execute commands on the device. The `iw serverip` parameter is susceptible to buffer overflow, which can be exploited by crafting a packet with a string of 480 characters. This vulnerability may allow a remote attacker to execute arbitrary commands with root privileges. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling the functionality that allows running scripts on the device until a patch is available. Restrict access to the `iw serverip` parameter to minimize the risk of exploitation. Avoid using the `iw serverip` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered that allows an attacker to execute commands on the device by exploiting a buffer overflow vulnerability in the `iw filename` POST parameter. This can be achieved by crafting a packet with a string of 162 characters. The vulnerability is related to the functionality that allows administrators to run scripts on the device for troubleshooting purposes. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling the functionality that allows running scripts on the device until a patch is available. As a temporary workaround, restrict the use of the `iw filename` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered where the device allows HTTP traffic by default, providing an insecure communication mechanism for users connecting to the web server. This allows an attacker to easily sniff the traffic and compromise sensitive data, such as credentials. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling HTTP traffic and enabling a secure communication protocol, such as HTTPS, to prevent easy sniffing of traffic and compromise of sensitive data.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue allows an attacker to download the `/systemlog.log` file, which is the system log, without any authentication or authorization. This is the same functionality intended for administrators to download the system log. **Recommendations** For Moxa AWK-3121 version 1.14, consider restricting access to the `/systemlog.log` file until a patch is available. As a temporary workaround, restrict access to the API endpoint that allows downloading the system log to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered where the session cookie `Password508` does not have an HttpOnly flag. This allows an attacker who is able to execute a cross-site scripting attack to steal the cookie easily. **Recommendations** For Moxa AWK-3121 version 1.14, consider setting the HttpOnly flag for the `Password508` session cookie to prevent it from being accessed by client-side scripts, thereby mitigating the risk of cookie theft via cross-site scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered that allows an attacker to execute commands on the device. The device provides ping functionality for administrators to check network connectivity using ICMP calls. However, this functionality is vulnerable to exploitation. The `srvName` parameter in a POST request is susceptible to a buffer overflow. By crafting a packet with a string of 516 characters, an attacker can execute the attack. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling the ping functionality or restricting access to the `srvName` parameter in the POST request until a patch is available. As a temporary workaround, avoid using the `srvName` parameter with long strings to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered where the device provides a Wi-Fi connection that is open and does not use any encryption mechanism by default. This allows an attacker to sniff the traffic passing between the user's computer and the device, potentially stealing credentials over HTTP and TELNET connections. Additionally, an attacker can perform a Man-in-the-Middle (MITM) attack, infecting a user's computer. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling the open Wi-Fi connection until a patch or secure configuration is available. Restrict access to the device's setup process to minimize the risk of exploitation. Avoid using the device's default open Wi-Fi connection for administrative tasks.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered that allows an attacker to execute commands on the device by exploiting the alert functionality. The POST parameters `to1`, `to2`, `to3`, and `to4` are susceptible to buffer overflow. By crafting a packet with a string of 678 characters, an attacker can execute the attack. **Recommendations** For Moxa AWK-3121 version 1.14, as a temporary workaround, consider disabling the alert functionality that sends emails to the administrator's account until a patch is available. Restrict access to the POST parameters `to1`, `to2`, `to3`, and `to4` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered in the device's web interface, which allows an administrator to manage the device. However, this interface is not protected against CSRF attacks, allowing an attacker to trick an administrator into executing actions without their knowledge. This is demonstrated by the "forms/iw webSetParameters" and "forms/webSetMainRestart" URIs. **Recommendations** For Moxa AWK-3121 version 1.14, as a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation. Avoid using the "forms/iw webSetParameters" and "forms/webSetMainRestart" URIs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Moxa AWK-3121 version 1.14 **Description** An issue was discovered in the Moxa AWK-3121 device, where the ping functionality, intended for administrators to check network connectivity via ICMP calls, can be exploited by an attacker to execute commands on the device. The `srvName` parameter in a POST request is susceptible to injection. By crafting a packet with shell metacharacters, an attacker can execute this attack. **Recommendations** For Moxa AWK-3121 version 1.14, consider disabling the ping functionality or restricting access to the `srvName` parameter in the POST request to minimize the risk of exploitation. Avoid using the `srvName` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** D-Link DIR-645 Wired/Wireless Router Rev. Ax versions 1.04b12 and earlier **Description** The issue allows remote attackers to execute arbitrary code via a long string in a GetDeviceSettings action to the "HNAP interface". This is a result of a stack-based buffer overflow. **Recommendations** For versions 1.04b12 and earlier, consider restricting access to the HNAP interface as a temporary workaround until a patch is available. Avoid using long strings in the GetDeviceSettings action to minimize the risk of exploitation.

**Nome do Software Vulnerável e Versões Afetadas** D-Link DIR-645 Wired/Wireless Router Rev. Ax versões anteriores a 1.04b12 **Description** A interface HNAP (Home Network Administration Protocol) não neutraliza adequadamente caracteres especiais utilizados em comandos do sistema operacional. Isso permite que atacantes remotos executem comandos arbitrários por meio de uma ação 'GetDeviceSettings'. Em incidentes reais, a botnet Goldoon explorou este problema para obter controle total sobre os dispositivos, extrair dados e estabelecer comunicação com servidores de Comando e Controle (C&C) para lançar ataques DDoS através de 27 vetores diferentes utilizando os protocolos DNS, HTTP, ICMP, TCP e UDP. **Recommendations** Atualize o firmware para uma versão posterior a 1.04b12. Como medida paliativa temporária, restrinja o acesso à interface HNAP para minimizar o risco de exploração.