cbcvebase.
CVE-2016-3989
published 2016-07-03

CVE-2016-3989: The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300…

PriorityP357high8.1CVSS 3.0
AVNACLPRLUINSUCHIHAN
EXPLOIT
EPSS
5.09%
91.3th percentile
The NTP time-server interface on Meinberg IMS-LANTIME M3000, IMS-LANTIME M1000, IMS-LANTIME M500, LANTIME M900, LANTIME M600, LANTIME M400, LANTIME M300, LANTIME M200, LANTIME M100, SyncFire 1100, and LCES devices with firmware before 6.20.004 allows remote authenticated users to obtain root privileges for writing to unspecified scripts, and consequently obtain sensitive information or modify data, by leveraging access to the nobody account.

Affected

1 ranges
VendorProductVersion rangeFixed in
meinbergntp_server_firmware<= 6.0

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/main
path/www/filetmp
path/mnt/flash/config/user_defined_notification
path/tmp/foo
commandcp /mnt/flash/config/user_defined_notification /www/filetmp; echo "{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash/tmp/foo;" >> /www/filetmp
commandkillall main
  • Detect oversized POST body to /cgi-bin/main: the exploit sends a 'button=' parameter padded with ~10028+ 'A' bytes, far exceeding any legitimate value, indicating a stack-based buffer overflow attempt.
  • Alert on POST requests to /cgi-bin/main with Content-Type: application/x-www-form-urlencoded whose Content-Length exceeds ~10000 bytes, as the exploit payload is consistently above this threshold.
  • Monitor for creation of or writes to /www/filetmp on Meinberg NTP appliances, as the exploit stages a reverse shell payload there.
  • Detect mkfifo usage on /tmp/foo followed by /bin/bash reading from it, which is the reverse shell mechanism used by the exploit.
  • ·The exploit binary addresses (system, exit, some_str, stack_pivot, ROP gadgets) are hardcoded for firmware ELX800/GPS M4x V5.30p only; they will not be valid for other firmware versions or device models.
  • ·CVE-2016-3989 affects firmware versions 6.0 and earlier across all listed Meinberg device families; firmware 6.20.004 is the patched version.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvdv2.08.5HIGHAV:N/AC:L/Au:S/C:C/I:C/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.