cbcvebase.
CVE-2016-9683
published 2017-02-22

CVE-2016-9683: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.55%
95.5th percentile
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'extensionsettings' CGI (/cgi-bin/extensionsettings) component responsible for handling some of the server's internal configurations. The CGI application doesn't properly escape the information it's passed when processing a particular multi-part form request involving scripts. The filename of the 'scriptname' variable is read in unsanitized before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account. This is SonicWall Issue ID 181195.

Affected

1 ranges
VendorProductVersion rangeFixed in
dellsonicwall_secure_remote_access_server

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/extensionsettings
path/cgi-bin/userLogin
path/cgi-bin/diagnostics
cookieswap=<token>
path/tmp/qq
path/tmp/n
path/tmp/m
commandchmod%20777%20/tmp/qq;sh%20/tmp/qq
commandcurrentTSREmailTo=|<cmd>|x&tsrEmailCurrent=true
port443
  • Monitor HTTP POST requests to /cgi-bin/userLogin followed by GET requests to /cgi-bin/diagnostics with pipe characters (|) in the 'currentTSREmailTo' parameter, which is the command injection vector.
  • Detect multipart form POST requests to /cgi-bin/extensionsettings containing unsanitized 'scriptname' filename values, which are passed directly to system().
  • Alert on creation or execution of files /tmp/qq, /tmp/n, or /tmp/m on SonicWall SRA appliances, as these are staging paths used by the exploit to write and execute payloads.
  • Look for URL-encoded shell commands in HTTP GET parameters to /cgi-bin/diagnostics, specifically patterns like 'chmod%20777' and 'sh%20/tmp/' indicating in-band command execution.
  • Track the 'swap' session cookie issued by /cgi-bin/userLogin; its subsequent use in requests to /cgi-bin/diagnostics with pipe-delimited command injection payloads is a strong exploitation indicator.
  • ·The exploit is post-authentication, requiring valid credentials (default username 'admin') before the command injection can be triggered. Detection should account for a preceding successful login to /cgi-bin/userLogin.
  • ·Exploitation yields shell access only as the 'nobody' user account, not root, unless privilege escalation (e.g., sudo /bin/rm) is also successful.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.