CVE-2016-0854
published 2016-01-15CVE-2016-0854: Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.11%
99.5th percentile
Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to write to files of arbitrary types via unspecified vectors.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | webaccess | <= 8.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated multipart POST requests to /WADashboard/ajax/UploadAjaxAction.aspx with actionName=uploadFile, indicating exploitation of the arbitrary file upload endpoint. ↗
- →Alert on HTTP 200 responses from UploadAjaxAction.aspx whose body contains the JSON pattern {"resStatus":"0","resString":"/..."}, confirming a successful malicious file upload. ↗
- →Monitor for GET requests to /WADashboard/<filename>.aspx immediately following a POST upload to UploadAjaxAction.aspx, indicating the attacker is triggering execution of the uploaded webshell. ↗
- →Flag the presence of the waUserName=admin cookie in requests to the UploadAjaxAction endpoint; the exploit sets this cookie without prior authentication to bypass access controls. ↗
- →Uploaded ASPX webshells will execute under the IIS AppPool high-privilege context; monitor IIS worker process (w3wp.exe) for spawning unexpected child processes after a file upload event. ↗
- →Fingerprint vulnerable installations by checking the HTTP response body for the pattern 'Software Build : 8.0-' to identify Advantech WebAccess 8.0 targets before exploitation. ↗
- ·The exploit requires no authentication; the waUserName=admin cookie is set client-side by the attacker and is not validated server-side, meaning network-level controls blocking unauthenticated access to /WADashboard/ are the primary mitigation. ↗
- ·The vulnerability is confirmed only against Advantech WebAccess 8.0; the Metasploit module checks for exactly version 8.0 and marks other versions as Safe, so detections should be scoped accordingly. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2hxc-7g8w-hjm5: Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech
ghsa_unreviewed·2022-05-17
CVE-2016-0854 [CRITICAL] GHSA-2hxc-7g8w-hjm5: Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech
Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to write to files of arbitrary types via unspecified vectors.
CISA ICS
Advantech WebAccess Vulnerabilities
cisa_ics·2018-08-23
Advantech WebAccess Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Advantech WebAccess Vulnerabilities
Last RevisedAugust 23, 2018
Alert CodeICSA-16-014-01
## OVERVIEW
Ilya Karpov of Positive Technologies, Ivan Sanchez, Andrea Micalizzi, Ariele Caltabiano, Fritz Sands, Steven Seeley, and an anonymous researcher have identified multiple vulnerabilities in Advantech WebAccess application. Many of these vulnerabilities were reported through the Zero Day Initiative (ZDI) and iDefense. Advantech has produced a new version to mitigate these vulnerabilities. Ivan Sanchez has tested the new version to validate that it resolves the vulnerabilities which
No detection rules found.
Exploit-DB
Advantech Webaccess Dashboard Viewer - Arbitrary File Upload (Metasploit)
exploitdb·2016-04-26
CVE-2016-0854 Advantech Webaccess Dashboard Viewer - Arbitrary File Upload (Metasploit)
Advantech Webaccess Dashboard Viewer - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule "Advantech WebAccess Dashboard Viewer Arbitrary File Upload",
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations
of Advantech WebAccess. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within
the uploadImageCommon function in the UploadAjaxAction script allows unauthenticate
Metasploit
Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload
metasploit
Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload
Advantech WebAccess Dashboard Viewer uploadImageCommon Arbitrary File Upload
This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to upload arbitrary code (instead of an image) to the server, which will then be executed under the high-privilege context of the IIS AppPool.
No writeups or analysis indexed.
http://www.rapid7.com/db/modules/exploit/windows/scada/advantech_webaccess_dashboard_file_uploadhttp://www.zerodayinitiative.com/advisories/ZDI-16-127http://www.zerodayinitiative.com/advisories/ZDI-16-128http://www.zerodayinitiative.com/advisories/ZDI-16-129https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01https://www.exploit-db.com/exploits/39735/http://www.rapid7.com/db/modules/exploit/windows/scada/advantech_webaccess_dashboard_file_uploadhttp://www.zerodayinitiative.com/advisories/ZDI-16-127http://www.zerodayinitiative.com/advisories/ZDI-16-128http://www.zerodayinitiative.com/advisories/ZDI-16-129https://ics-cert.us-cert.gov/advisories/ICSA-16-014-01https://www.exploit-db.com/exploits/39735/
2016-01-15
Published