cbcvebase.
CVE-2017-16524
published 2017-11-06

CVE-2017-16524: Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated…

PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
30.30%
98.0th percentile
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
hanwhasecurityweb_viewer

Detection & IOCsextracted from sources · hover to see the quote

path/network_ssl_upload.php
path/upload/
url/cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw
path/root/php_modules/lighttpd/sbin/userpw
version1.0.0.193
  • Detect credential harvesting via LFI: look for GET requests to /cslog_export.php with the query parameter path=/root/php_modules/lighttpd/sbin/userpw (CVE-2015-8279 chained with this CVE).
  • Detect file upload exploitation: look for multipart POST requests to /network_ssl_upload.php containing a filename with a .php extension in the attachFile field.
  • Detect payload execution: look for GET requests to /upload/*.php immediately following a POST to /network_ssl_upload.php, indicating uploaded PHP webshell execution.
  • Flag HTTP requests carrying the IESEVEN=1 cookie combined with NVR_DATA* session cookies, which is the authentication cookie pattern used by the exploit against Samsung SRN-1670D devices.
  • Detect version fingerprinting: look for GET requests to /index that match the response body pattern 'Web Viewer for Samsung NVR' and 'File Version 1.0.0.193', indicating active reconnaissance of vulnerable devices.
  • The exploit uses User-Agent 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' consistently across all requests; correlate this UA with requests to the above vulnerable endpoints as a combined detection signal.
  • ·The exploit requires prior authentication, which it obtains by chaining CVE-2015-8279 (LFI) to read cleartext credentials from the userpw file before uploading the PHP payload.
  • ·The uploaded PHP payload is self-deleting (unlink_self=>true), which may limit forensic recovery of the dropped file from the /upload/ directory after execution.
  • ·The login step encodes the username in Base64 and hashes the password with SHA-256 before POST; network-level credential detection must account for this transformation rather than looking for plaintext credentials on the wire.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.