cbcvebase.
CVE-2016-9349
published 2017-02-13

CVE-2016-9349: An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in…

PriorityP357high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
7.88%
94.0th percentile
An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in information disclosure.

Affected

1 ranges
VendorProductVersion rangeFixed in
advantechsusiaccess<= 3.0

Detection & IOCsextracted from sources · hover to see the quote

url/downloadCSV.jsp?file=
port8080
path../../../../../../../../../../Program%20Files\Advantech\SUSIAccess%203.0%20Server\Setting.xml
filenameSetting.xml
filenameupdate.zip
urlhttp://<target>:8080/downloadCSV.jsp?file=../../../../../../../../../../Program%20Files\Advantech\SUSIAccess%203.0%20Server\Setting.xml
urlhttp://<target>:8080/frmServer.jsp?d=<date>
urlhttp://<target>:8080/webresources/AccountMgmt/Login
cookiedeviceType=pc; log4jq=OFF; selectedLang=en_US;
  • Detect directory traversal attempts against the /downloadCSV.jsp endpoint using repeated '../' sequences in the 'file' parameter, particularly with a leading '/' followed by multiple '../' repetitions.
  • Monitor HTTP GET requests to /downloadCSV.jsp on port 8080 with a 'file' parameter containing path traversal sequences ('../') or URL-encoded equivalents ('%2F', '%2E%2E').
  • Alert on HTTP POST requests to /webresources/AccountMgmt/Login on port 8080 with both 'Authorization: Basic' and 'X-Requested-With: XMLHttpRequest' headers, which is the login step of the exploit chain.
  • Detect multipart/form-data file upload requests to the SUSIAccess server on port 8080 containing a zip file named 'update.zip', which is the malicious zip used in the exploit.
  • Flag retrieval of Setting.xml via the /downloadCSV.jsp traversal path, as it contains encrypted admin credentials that can be reversed due to a static hard-coded key.
  • Monitor for zip files containing entries with leading '../' path traversal sequences (zip-slip pattern), specifically targeting the AcronisInstaller.exe filename placed at traversal depth of 10 levels.
  • ·The traversal depth defaults to 10 levels ('/' + '../' * 10), but the DEPTH option is configurable by the attacker, meaning traversal sequences of varying lengths should all be detected.
  • ·The default target file is 'boot.ini' but the FILE option is fully attacker-controlled, so any file path may appear in the traversal request — do not rely on specific filenames for detection.
  • ·The admin password is encrypted with a static hard-coded key, meaning any attacker who retrieves Setting.xml via the traversal vulnerability can offline-decrypt the admin credentials.
  • ·Spaces in file paths are URL-encoded as '%20' by the exploit before being sent in the request URI.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.