cbcvebase.
CVE-2016-6255
published 2017-03-07

CVE-2016-6255: Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered…

PriorityP179high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
26.82%
97.8th percentile
Portable UPnP SDK (aka libupnp) before 1.6.21 allows remote attackers to write to arbitrary files in the webroot via a POST request without a registered handler.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
libupnp_projectlibupnp<= 1.6.20
libupnp_projectlibupnp>= 0 < 1:1.6.17-1.2+deb7u1build0.14.04.11:1.6.17-1.2+deb7u1build0.14.04.1
libupnp_projectlibupnp>= 0 < 1:1.6.19+git20160116-1ubuntu0.1~esm11:1.6.19+git20160116-1ubuntu0.1~esm1

Detection & IOCsextracted from sources · hover to see the quote

path/upnp/control/hag
path/z3n.html
port49451
port1270
urlhttp://192.168.1.217:49153/danger_zone
path/usr/share/mediatomb/web/danger_zone
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; startswith; endswith; fast_pattern; http.request_header; header_lowercase; content:"soapaction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:7; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, malware_family Mirai, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect unauthenticated HTTP POST requests to a libupnp webroot path with no registered handler — the core primitive of CVE-2016-6255. The Snort/Suricata rule keys on POST to /upnp/control/hag with a SOAPAction header containing 'urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua' and a body containing the byte pattern |3c|Code|3e|os|2e|execute|28 60| (i.e., <Code>os.execute(`).
  • Monitor for unexpected files appearing under the libupnp/mediatomb webroot (e.g., /usr/share/mediatomb/web/) following an inbound POST request — a direct indicator of successful CVE-2016-6255 exploitation.
  • The reverse-shell payload uses mkfifo + netcat; look for process creation of 'mkfifo /tmp/a' or 'nc <ip> 1270' spawned from a UPnP service process as a post-exploitation indicator.
  • The exploit uses the WebRTC internal IP leak (RTCPeerConnection with empty iceServers) to enumerate LAN hosts before targeting them — browser-side WebRTC ICE candidate generation with no STUN/TURN server is a client-side indicator of the recon phase.
  • Nessus plugin 93911 can be used to actively test for the VeraLite RunLua vulnerability chained with CVE-2016-6255; plugin 94047 (UPnP API Listing) enumerates exposed UPnP actions.
  • ·The vulnerability allows writing files to the webroot as root in default configurations (e.g., Ubuntu mediatomb install), meaning the impact is elevated when the UPnP service runs with root privileges.
  • ·The Snort rule (sid:2027489) cross-references CVE-2019-12780 in addition to CVE-2016-6255, indicating it was later updated to cover Mirai/Echobot exploitation of the same endpoint; defenders should treat matches as potentially attributable to either CVE.
  • ·No solution existed at time of the exploit-db publication for the VeraLite device specifically; mitigation requires restricting network access to the UPnP server port rather than patching the device.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vulncheck7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.