CVE-2016-9091
published 2017-04-05CVE-2016-9091: Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection…
PriorityP354high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
10.13%
95.1th percentile
Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bluecoat | advanced_secure_gateway | <= 6.6.5.2 | — |
| bluecoat | content_analysis_system_software | <= 1.3.7.3 | — |
| symantec_corporation | blue_coat_asg | — | — |
| symantec_corporation | blue_coat_cas | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/report-email/send"; nocase; http.request_body; content:"/dev-report-overview.html"; nocase; content:"|3B|"; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/i"; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:4; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2017_04_21, cve CVE_2016_9091, deployment Internal, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2024_03_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Detect POST requests to /report-email/send on port 8082 containing '/dev-report-overview.html' followed by a semicolon (0x3B) in the request body — the canonical injection point for CVE-2016-9091. ↗
- →Monitor for sudo execution of mv_troubleshooting.sh or flush_dns.sh by the 'tomcat' user, which indicates the local privilege escalation stage of the exploit. ↗
- →Alert on unauthenticated GET requests to /avenger/rest/version, which is used by the exploit's check() function to fingerprint vulnerable BlueCoat CAS versions before launching the attack. ↗
- →The exploit authenticates via CAS ticket-granting service at /cas/v1/tickets then redeems the ticket at /avenger/j_spring_cas_security_check; sequential POST→GET to these endpoints from the same source IP is a strong pre-exploitation signal. ↗
- →The exploit requires the session to be running as user 'tomcat'; detect process spawning (e.g., shell, meterpreter) from the tomcat UID on BlueCoat appliances as a post-exploitation indicator. ↗
- ·The Metasploit module's check() function hard-codes the vulnerable version as '1.3.7.1' read from /etc/clp-release; the actual vulnerable range is CAS 1.3 prior to 1.3.7.4 and ASG 6.6 prior to 6.6.5.4, so the module may miss other vulnerable versions. ↗
- ·The OS command injection exploit requires an authenticated session with 'administrator' group privileges; users in the 'Readonly' group cannot exploit this vulnerability. ↗
- ·The privilege escalation module requires a pre-existing tomcat-level shell session and sudo access for the tomcat user to mv_troubleshooting.sh; it is a post-exploitation module, not a standalone RCE. ↗
- ·The exploit module notes inconsistent timing behaviour that may cause failures: 'Exploit failed: Rex::TimeoutError Operation timed out.' ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt
suricata·2017-04-21
CVE-2016-9091 ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt
ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt
Rule: alert http any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/report-email/send"; nocase; http.request_body; content:"/dev-report-overview.html"; nocase; content:"|3B|"; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/i"; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:4; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2017_04_21, cve CVE_2016_9091, deployment Internal, performance_impact Moderate, confide
Exploit-DB
Bluecoat ASG 6.6/CAS 1.3 - Local Privilege Escalation (Metasploit)
exploitdb·2017-04-03
CVE-2016-9091 Bluecoat ASG 6.6/CAS 1.3 - Local Privilege Escalation (Metasploit)
Bluecoat ASG 6.6/CAS 1.3 - Local Privilege Escalation (Metasploit)
---
# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS
# Date: April 3, 2017
# Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd
# Contact: chrisdhebert[at]gmail.com
# Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138
# Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable
# Tested on: BlueCoat CAS 1.3.7.1
# CVE : cve-2016-9091
Timeline:
08/31/2016 (Vulnerablities Discovered)
03/31/2017 (Final Vendor Patch Confirmed)
04/03/2017 (Public Release)
Description:
The BlueCoat ASG and CAS management consoles are susceptible to a privilege escalation vulnerablity.
A malicious user with tomcat privileges can escalate to root via the vulnerable mvt
Exploit-DB
Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit)
exploitdb·2017-04-03
CVE-2016-9091 Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit)
Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit)
---
# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS
# Date: April 3, 2017
# Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd
# Contact: chrisdhebert[at]gmail.com
# Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138
# Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable
# Tested on: BlueCoat CAS 1.3.7.1
# CVE : cve-2016-9091
Timeline:
08/31/2016 (Vulnerablities Discovered)
03/31/2017 (Final Vendor Patch Confirmed)
04/03/2017 (Public Release)
Description:
The BlueCoat ASG and CAS management consoles are susceptible to an OS command injection vulnerability.
An authenticated malicious administrator can execute arbitrary OS commands with the pri
No writeups or analysis indexed.
http://www.securityfocus.com/bid/97372https://bto.bluecoat.com/security-advisory/sa138https://www.exploit-db.com/exploits/41785/https://www.exploit-db.com/exploits/41786/http://www.securityfocus.com/bid/97372https://bto.bluecoat.com/security-advisory/sa138https://www.exploit-db.com/exploits/41785/https://www.exploit-db.com/exploits/41786/
2017-04-05
Published