CVE-2016-9683
published 2017-02-22CVE-2016-9683: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.55%
95.5th percentile
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'extensionsettings' CGI (/cgi-bin/extensionsettings) component responsible for handling some of the server's internal configurations. The CGI application doesn't properly escape the information it's passed when processing a particular multi-part form request involving scripts. The filename of the 'scriptname' variable is read in unsanitized before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account. This is SonicWall Issue ID 181195.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | sonicwall_secure_remote_access_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /cgi-bin/userLogin followed by GET requests to /cgi-bin/diagnostics with pipe characters (|) in the 'currentTSREmailTo' parameter, which is the command injection vector. ↗
- →Detect multipart form POST requests to /cgi-bin/extensionsettings containing unsanitized 'scriptname' filename values, which are passed directly to system(). ↗
- →Alert on creation or execution of files /tmp/qq, /tmp/n, or /tmp/m on SonicWall SRA appliances, as these are staging paths used by the exploit to write and execute payloads. ↗
- →Look for URL-encoded shell commands in HTTP GET parameters to /cgi-bin/diagnostics, specifically patterns like 'chmod%20777' and 'sh%20/tmp/' indicating in-band command execution. ↗
- →Track the 'swap' session cookie issued by /cgi-bin/userLogin; its subsequent use in requests to /cgi-bin/diagnostics with pipe-delimited command injection payloads is a strong exploitation indicator. ↗
- ·The exploit is post-authentication, requiring valid credentials (default username 'admin') before the command injection can be triggered. Detection should account for a preceding successful login to /cgi-bin/userLogin. ↗
- ·Exploitation yields shell access only as the 'nobody' user account, not root, unless privilege escalation (e.g., sudo /bin/rm) is also successful. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
SonicWall
CVE-2016-9683: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative i
vendor_sonicwall·2017-02-22·CVSS 9.8
CVE-2016-9683 [CRITICAL] CWE-77 CVE-2016-9683: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative i
CVE-2016-9683: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'extensionsettings' CGI (/cgi-bin/extensionsettings) component responsible for handling some of the server's internal configurations. The CGI application doesn't properly escape the information it's passed when processing a particular multi-part form request involving scripts. The filename of the 'scriptname' variable is read in unsanitized before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account. This is SonicWall Issue ID 181195.
GHSA
GHSA-gmgj-6mhv-x5q4: The SonicWall Secure Remote Access server (version 8
ghsa_unreviewed·2022-05-14
CVE-2016-9683 [CRITICAL] CWE-77 GHSA-gmgj-6mhv-x5q4: The SonicWall Secure Remote Access server (version 8
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'extensionsettings' CGI (/cgi-bin/extensionsettings) component responsible for handling some of the server's internal configurations. The CGI application doesn't properly escape the information it's passed when processing a particular multi-part form request involving scripts. The filename of the 'scriptname' variable is read in unsanitized before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account. This is SonicWall Issue ID 181195.
No detection rules found.
No writeups or analysis indexed.
http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868http://pastebin.com/eJbeXgBrhttp://www.securityfocus.com/bid/96375https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2016-0004http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868http://pastebin.com/eJbeXgBrhttp://www.securityfocus.com/bid/96375https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2016-0004
2017-02-22
Published