CVE-2015-8282
published 2017-04-13CVE-2015-8282: SeaWell Networks Spectrum SDC 02.05.00 has a default password of "admin" for the "admin" account.
PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.58%
93.0th percentile
SeaWell Networks Spectrum SDC 02.05.00 has a default password of "admin" for the "admin" account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| seawell_networks | spectrum_sdc | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://IP/configure_manage.php?action=download_config&file=../../../../../../../../../etc/passwd↗
urlhttps://IP/system_manage.php?username=viewer1&password=viewer&password=viewer&userlevel=9&action=add_user&ekey=&LActiveRow=↗
urlhttps://IP/system_manage.php?username=viewer1&password=&password=&userlevel=9&action=delete_user&ekey=4&LActiveRow=sys_Luser_4↗
urlhttps://IP/system_manage.php?username=admin&password=admin1&password=admin1&userlevel=9&action=update_user&ekey=3&LActiveRow=sys_Luser_3↗
- →Detect path traversal attempts against configure_manage.php by monitoring HTTP requests containing 'file=../' sequences in the query string targeting this endpoint. ↗
- →Alert on unauthenticated or low-privileged (viewer) requests to system_manage.php with action=add_user, action=delete_user, or action=update_user, especially with userlevel=9 (admin privilege escalation). ↗
- →Monitor HTTP GET requests to configure_manage.php with action=download_config and file parameter set to sensitive config filenames (policy.xml, cookie_config.xml, systemCfg.xml) from non-admin sessions. ↗
- →Flag successful logins using the default credential pair admin/admin on the Spectrum SDC management interface. ↗
- →Detect the response string '0Success1' in HTTP responses from system_manage.php, which indicates successful unauthorized administrative actions (user add/delete/modify) by a low-privileged user. ↗
- ·The default admin credentials (admin/admin) are hardcoded in Spectrum SDC 02.05.00 and must be changed immediately upon deployment; the CVE specifically covers this default password condition. ↗
- ·The userlevel parameter in system_manage.php is not server-side enforced: userlevel=9 grants admin privileges and userlevel=1 grants viewer privileges, and any authenticated user can supply either value. ↗
- ·The configure_manage.php file parameter performs no path restriction, allowing traversal to arbitrary filesystem paths including /etc/passwd; no sanitization is applied server-side. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/135311/SeaWell-Networks-Spectrum-SDC-02.05.00-Traversal-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2016/Jan/58https://www.exploit-db.com/exploits/39266/http://packetstormsecurity.com/files/135311/SeaWell-Networks-Spectrum-SDC-02.05.00-Traversal-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2016/Jan/58https://www.exploit-db.com/exploits/39266/
2017-04-13
Published