CVE-2016-9796
published 2016-12-03CVE-2016-9796: Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.36%
95.9th percentile
Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run arbitrary commands on the server, with the privilege of NT AUTHORITY\SYSTEM on the server. NOTE: The discoverer states "The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the OmniVista server."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alcatel-lucent | omnivista_8770_network_management_system | — | — |
| alcatel-lucent | omnivista_8770_network_management_system | — | — |
| alcatel-lucent | omnivista_8770_network_management_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
47494f50010000000000012600000000
bytes↗
47494f50010000000000003100000000
bytes↗
47494f5001000000
bytes↗
47494f50010000000000003500000000000001100100000000000010
- →Monitor for unauthenticated GIOP/CORBA TCP connections to port 30024 on OmniVista 8770 servers; any external connection to this port should be treated as suspicious. ↗
- →Detect GIOP request packets invoking the SchedulerInterface object with methods AddJobSet, AddJob, or ExecuteNow — the exploit encodes the string '5363686564756c6572496e74657266616365' (SchedulerInterface) in the GIOP payload. ↗
- →Look for GIOP magic bytes 'GIOP' (0x47494f50) on TCP port 30024 followed by method name strings AddJobSet, AddJob, Active, ExecuteNow, Cancel, or DeleteJobSet as network-level indicators of exploitation. ↗
- →Alert on processes spawned as NT AUTHORITY\SYSTEM by the OmniVista service, particularly cmd.exe or powershell.exe with suspicious arguments such as '-nop -w hidden' or IEX/downloadstring patterns. ↗
- →The exploit uses nbtscan to resolve the target NetBIOS name before sending GIOP packets; detect nbtscan reconnaissance activity against OmniVista server hosts as a precursor indicator. ↗
- →The exploit embeds a crafted username string 'xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc' in the GIOP AddJobSet payload; presence of this DN pattern in network traffic is a strong exploit indicator. ↗
- ·The vendor does not patch this vulnerability but instead recommends applying firewall rules to block unauthorized clients from reaching the OmniVista server on TCP port 30024. ↗
- ·The exploit targets OmniVista 8770 versions 2.0, 2.6, and 3.0 running on Windows Server; the cmd.exe path differs between 32-bit and 64-bit installations, affecting payload construction. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.htmlhttp://www.securityfocus.com/bid/94649https://github.com/malerisch/omnivista-8770-unauth-rcehttps://www.exploit-db.com/exploits/40862/https://www.youtube.com/watch?v=aq37lQKa9skhttp://blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.htmlhttp://www.securityfocus.com/bid/94649https://github.com/malerisch/omnivista-8770-unauth-rcehttps://www.exploit-db.com/exploits/40862/https://www.youtube.com/watch?v=aq37lQKa9sk
2016-12-03
Published