CVE-2017-14706
published 2017-09-22CVE-2017-14706: DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
28.24%
97.9th percentile
DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| denyall | i-suite | — | — |
| denyall | i-suite | — | — |
| denyall | i-suite | — | — |
| denyall | i-suite | — | — |
| denyall | i-suite | — | — |
| denyall | i-suite | — | — |
| denyall | web_application_firewall | — | — |
| denyall | web_application_firewall | — | — |
| denyall | web_application_firewall | — | — |
| denyall | web_application_firewall | — | — |
| denyall | web_application_firewall | — | — |
| denyall | web_application_firewall | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to /webservices/stream/tail.php on port 3001 for shell metacharacters in the 'type' parameter, which indicates exploitation of the tailDateFile command injection vulnerability. ↗
- →Detect unauthenticated requests to /webservices/stream/tail.php that include an 'iToken' parameter — this token may have been obtained by chaining CVE-2017-14706 prior to exploitation. ↗
- →Alert on inbound TCP connections to port 3001 on DenyAll WAF hosts, particularly those originating from untrusted/external sources, as exploitation occurs over this non-standard port. ↗
- →The Metasploit module 'exploits/linux/http/denyall_waf_exec' can be used to validate detection coverage; look for its characteristic HTTP request patterns against the tail.php endpoint. ↗
- ·Affected versions span a wide range; ensure version scoping is applied before deploying detections to avoid false positives on patched systems. ↗
- ·This CVE (CVE-2017-14705) is a two-stage exploit chain: CVE-2017-14706 must first be exploited to obtain a valid iToken before the RCE can be triggered. Detection strategies should account for both stages. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xg92-4q2x-2943: DenyAll WAF before 6
ghsa_unreviewed·2022-05-17
CVE-2017-14706 [CRITICAL] CWE-287 GHSA-xg92-4q2x-2943: DenyAll WAF before 6
DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to obtain authentication information by making a typeOf=debug request to /webservices/download/index.php, and then reading the iToken field in the reply. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
GHSA
GHSA-9cc5-7cfq-52hg: DenyAll WAF before 6
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-14705 [CRITICAL] CWE-78 GHSA-9cc5-7cfq-52hg: DenyAll WAF before 6
DenyAll WAF before 6.4.1 allows unauthenticated remote command execution via TCP port 3001 because shell metacharacters can be inserted into the type parameter to the tailDateFile function in /webservices/stream/tail.php. An iToken authentication parameter is required but can be obtained by exploiting CVE-2017-14706. This affects DenyAll i-Suite LTS 5.5.0 through 5.5.12, i-Suite 5.6, Web Application Firewall 5.7, and Web Application Firewall 6.x before 6.4.1, with On Premises or AWS/Azure cloud deployments.
No detection rules found.
No writeups or analysis indexed.
https://github.com/rapid7/metasploit-framework/pull/8980https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/https://www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/https://github.com/rapid7/metasploit-framework/pull/8980https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/https://www.denyall.com/blog/advisories/advisory-unauthenticated-remote-code-execution-denyall-web-application-firewall/
2017-09-22
Published