CVE-2016-1608
published 2016-08-01CVE-2016-1608: vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via…
PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.34%
95.4th percentile
vaconfig/time in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the ntpServer parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | filr | <= 1.2 | — |
| novell | filr | <= 2.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /vaconfig/time on port 9443 containing shell metacharacters (e.g. semicolons) in the ntpServer parameter, indicating command injection exploitation of CVE-2016-1608. ↗
- →Monitor for unauthenticated GWT RPC calls to ssf/gwt/gwtTeaming.rpc attempting UploadFileBlobCmd with path traversal sequences (../../../../) in the filename field, targeting files such as /etc/profile.d/vainit.sh. ↗
- →Alert on creation or modification of /etc/profile.d/vainit.sh on Filr appliances, as this is the target file used for persistence via the unauthenticated file overwrite vulnerability. ↗
- →Detect session cookies (JSESSIONID) lacking the httpOnly flag on Filr appliances, which enables session hijacking as part of the attack chain. ↗
- →Monitor for the GWT policy name 338D4038939D10E7FC021BD64B318D99 appearing in HTTP traffic to Filr appliances, as it is used in exploit code targeting the unauthenticated RPC endpoint. ↗
- ·The command injection in /vaconfig/time requires authenticated access; however, the separate unauthenticated file overwrite vulnerability (#6/#7) can be chained to achieve pre-auth RCE by overwriting /etc/profile.d/vainit.sh executed at root login. ↗
- ·The Jetty service passes commands to a separate root-running service; the command injection fix is in the current release but more stringent parameter validation is deferred to a future release. ↗
- ·The httpOnly flag issue on session cookies is NOT fixed in the Security Update 2/3 patches and will be addressed in a future release, leaving session hijacking risk residual after patching. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/bugtraq/2016/Jul/119http://www.securityfocus.com/bid/92113https://download.novell.com/Download?buildid=3V-3ArYN85I~https://download.novell.com/Download?buildid=BOTiHcBFfv0~https://www.exploit-db.com/exploits/40161/https://www.novell.com/support/kb/doc.php?id=7017789http://seclists.org/bugtraq/2016/Jul/119http://www.securityfocus.com/bid/92113https://download.novell.com/Download?buildid=3V-3ArYN85I~https://download.novell.com/Download?buildid=BOTiHcBFfv0~https://www.exploit-db.com/exploits/40161/https://www.novell.com/support/kb/doc.php?id=7017789
2016-08-01
Published