cbcvebase.
CVE-2017-1000486
published 2018-01-03

CVE-2017-1000486: Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-07-10
Exploited in the wild
EPSS
94.10%
99.8th percentile
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution

Affected

3 ranges
VendorProductVersion rangeFixed in
primetekprimefaces4.0 – 4.0.24
primetekprimefaces>= 5.0 < 5.2.215.2.21
primetekprimefaces>= 5.3 < 5.3.85.3.8

Detection & IOCsextracted from sources · hover to see the quote

url/javax.faces.resource/dynamiccontent.properties.xhtml
path/javax.faces.resource/dynamiccontent.properties.xhtml
otherpfdrt=sc&ln=primefaces&pfdrid=uMKljPgnOTVxmOB%2BH6%2FQEPW9ghJMGL3PRdkfmbiiPkUDzOAoSQnmBt4dYyjvjGhVbBkVHj5xLXXCaFGpOHe704aOkNwaB12Cc3Iq6NmBo%2BQZuqhqtPxdTA%3D%3D
otherpfdrt=sc&ln=primefaces
otherMogwailabs: CHECKCHECK (response header)
bytes
DES salt: a9 9b c8 32 56 34 e3 03, iterationCount: 19
  • The exploit uses DES encryption with a hardcoded password 'primefaces', a fixed salt (0xa9,0x9b,0xc8,0x32,0x56,0x34,0xe3,0x03), and iteration count of 19 to encrypt the EL payload in the pfdrid parameter. Decrypting pfdrid values with these parameters can confirm malicious payloads.
  • The Nuclei template checks for the custom response header 'Mogwailabs: CHECKCHECK' to confirm successful EL injection; defenders can alert on this header appearing in HTTP responses.
  • The exploit injects Java EL expressions using javax.script.ScriptEngineManager to obtain a JavaScript engine and execute OS commands via java.lang.ProcessBuilder. Monitor application logs for ScriptEngineManager or ProcessBuilder references in JSF resource requests.
  • FIN13 (Elephant Beetle) has been observed exploiting CVE-2017-1000486 for initial access; correlate Primefaces exploit attempts with subsequent web shell deployment (JspSpy, reGeorg, MiniWebCmdShell) and xp_cmdshell usage.
  • The Metasploit check method injects an EL expression that sets a custom response header 'primesecretchk' to a random value; monitor for unexpected custom headers in HTTP responses from JSF applications as a sign of active probing.
  • ·The vulnerability only affects Primefaces versions prior to 5.2.21, 5.3.8, or 6.0. The weak crypto stems from use of DES with a default hardcoded password ('primefaces') and fixed salt; upgrading to 5.2.21+, 5.3.8+, or 6.0+ mitigates the issue.
  • ·The default RPORT for the Metasploit module is 80; deployments on non-standard ports will require adjusted detection rules targeting the vulnerable URI path rather than a specific port.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.