CVE-2016-9684
published 2017-02-22CVE-2016-9684: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface…
PriorityP269critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.06%
93.4th percentile
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'viewcert' CGI (/cgi-bin/viewcert) component responsible for processing SSL certificate information. The CGI application doesn't properly escape the information it's passed in the 'CERT' variable before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | sonicwall_secure_remote_access_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SRA Post-Auth viewcert CGI Command Injection (CVE-2016-9684)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/viewcert"; fast_pattern; http.request_body; content:"CERT|3d|"; pcre:"/^[^\x26\x0d\x0a]*?[\x3b\x60\x7c]/R"; reference:url,www.exploit-db.com/exploits/42343; reference:cve,2016-9684; classtype:web-application-attack; sid:2061547; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_14, cve CVE_2016_9684, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect POST requests to /cgi-bin/viewcert containing the CERT parameter with shell metacharacters (backtick, semicolon, pipe) immediately following the value — the injection point used by the exploit. ↗
- →The Snort/Suricata rule matches on POST to /cgi-bin/viewcert with body containing 'CERT=' (CERT|3d|) followed by shell injection characters (0x3b=;, 0x60=`, 0x7c=|) via PCRE, requiring TLS decryption for encrypted traffic.
- →The exploit first authenticates via POST to /cgi-bin/userLogin and extracts a 'swap' session cookie, which is then used to authorize the injection request to /cgi-bin/viewcert. Correlate login events with subsequent viewcert POST requests. ↗
- →Payload staging writes ELF binaries or shell scripts to /tmp/ (paths /tmp/m, /tmp/n, /tmp/qq) and executes them with chmod +rx. Monitor for file creation and execution in /tmp/ by the 'nobody' user. ↗
- →The exploit uses a hardcoded User-Agent string 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0' for the login phase; correlate this UA with POST requests to SonicWall SRA admin CGI endpoints. ↗
- ·Exploitation is post-authentication — valid credentials (default username 'admin') are required before the injection can be triggered. Ensure authentication logging is enabled to detect brute-force or credential-stuffing attempts preceding exploitation. ↗
- ·The Snort/Suricata rule (sid:2061547) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to inspect the POST body, as the SRA appliance listens on port 443. Without SSL inspection the rule will not fire.
- ·Successful exploitation yields a shell running as the 'nobody' user, not root — however the exploit also attempts privilege escalation via 'sudo /bin/rm' and chmod operations, suggesting sudo misconfiguration may be present on vulnerable appliances. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j858-6544-mp99: The SonicWall Secure Remote Access server (version 8
ghsa_unreviewed·2022-05-14
CVE-2016-9684 [CRITICAL] CWE-77 GHSA-j858-6544-mp99: The SonicWall Secure Remote Access server (version 8
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'viewcert' CGI (/cgi-bin/viewcert) component responsible for processing SSL certificate information. The CGI application doesn't properly escape the information it's passed in the 'CERT' variable before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account.
SonicWall
CVE-2016-9684: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative i
vendor_sonicwall·2017-02-22·CVSS 9.8
CVE-2016-9684 [CRITICAL] CWE-77 CVE-2016-9684: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative i
CVE-2016-9684: The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. This vulnerability occurs in the 'viewcert' CGI (/cgi-bin/viewcert) component responsible for processing SSL certificate information. The CGI application doesn't properly escape the information it's passed in the 'CERT' variable before a call to system() is performed - allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account.
Suricata
ET WEB_SERVER SonicWall SRA Post-Auth viewcert CGI Command Injection (CVE-2016-9684)
suricata·2025-04-14·CVSS 9.8
CVE-2016-9684 [CRITICAL] ET WEB_SERVER SonicWall SRA Post-Auth viewcert CGI Command Injection (CVE-2016-9684)
ET WEB_SERVER SonicWall SRA Post-Auth viewcert CGI Command Injection (CVE-2016-9684)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SRA Post-Auth viewcert CGI Command Injection (CVE-2016-9684)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/viewcert"; fast_pattern; http.request_body; content:"CERT|3d|"; pcre:"/^[^\x26\x0d\x0a]*?[\x3b\x60\x7c]/R"; reference:url,www.exploit-db.com/exploits/42343; reference:cve,2016-9684; classtype:web-application-attack; sid:2061547; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_14, cve CVE_2016_9684, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 20
No writeups or analysis indexed.
http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868http://pastebin.com/g1e2qU6Nhttp://www.securityfocus.com/bid/96375https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2016-0005http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868http://pastebin.com/g1e2qU6Nhttp://www.securityfocus.com/bid/96375https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2016-0005
2017-02-22
Published