cbcvebase.
CVE-2016-1608
published 2016-08-01

CVE-2016-1608: vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.34%
95.4th percentile
vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
novellfilr<= 1.2
novellfilr<= 2.0

Detection & IOCsextracted from sources · hover to see the quote

url:9443/vaconfig/time
path../../../../etc/profile.d/vainit.sh
path/tmp/profiledtest
pathssf/gwt/
pathgwtTeaming.rpc
port9443
  • Detect POST requests to /vaconfig/time on port 9443 containing shell metacharacters (e.g. semicolons) in the ntpServer parameter, indicating command injection exploitation of CVE-2016-1608.
  • Monitor for unauthenticated GWT RPC calls to ssf/gwt/gwtTeaming.rpc attempting UploadFileBlobCmd with path traversal sequences (../../../../) in the filename field, targeting files such as /etc/profile.d/vainit.sh.
  • Alert on creation or modification of /etc/profile.d/vainit.sh on Filr appliances, as this is the target file used for persistence via the unauthenticated file overwrite vulnerability.
  • Detect session cookies (JSESSIONID) lacking the httpOnly flag on Filr appliances, which enables session hijacking as part of the attack chain.
  • Monitor for the GWT policy name 338D4038939D10E7FC021BD64B318D99 appearing in HTTP traffic to Filr appliances, as it is used in exploit code targeting the unauthenticated RPC endpoint.
  • ·The command injection in /vaconfig/time requires authenticated access; however, the separate unauthenticated file overwrite vulnerability (#6/#7) can be chained to achieve pre-auth RCE by overwriting /etc/profile.d/vainit.sh executed at root login.
  • ·The Jetty service passes commands to a separate root-running service; the command injection fix is in the current release but more stringent parameter validation is deferred to a future release.
  • ·The httpOnly flag issue on session cookies is NOT fixed in the Security Update 2/3 patches and will be addressed in a future release, leaving session hijacking risk residual after patching.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.