CVE-2017-16524
published 2017-11-06CVE-2017-16524: Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated…
PriorityP273high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
30.30%
98.0th percentile
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hanwhasecurity | web_viewer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect credential harvesting via LFI: look for GET requests to /cslog_export.php with the query parameter path=/root/php_modules/lighttpd/sbin/userpw (CVE-2015-8279 chained with this CVE). ↗
- →Detect file upload exploitation: look for multipart POST requests to /network_ssl_upload.php containing a filename with a .php extension in the attachFile field. ↗
- →Detect payload execution: look for GET requests to /upload/*.php immediately following a POST to /network_ssl_upload.php, indicating uploaded PHP webshell execution. ↗
- →Flag HTTP requests carrying the IESEVEN=1 cookie combined with NVR_DATA* session cookies, which is the authentication cookie pattern used by the exploit against Samsung SRN-1670D devices. ↗
- →Detect version fingerprinting: look for GET requests to /index that match the response body pattern 'Web Viewer for Samsung NVR' and 'File Version 1.0.0.193', indicating active reconnaissance of vulnerable devices. ↗
- →The exploit uses User-Agent 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' consistently across all requests; correlate this UA with requests to the above vulnerable endpoints as a combined detection signal. ↗
- ·The exploit requires prior authentication, which it obtains by chaining CVE-2015-8279 (LFI) to read cleartext credentials from the userpw file before uploading the PHP payload. ↗
- ·The uploaded PHP payload is self-deleting (unlink_self=>true), which may limit forensic recovery of the dropped file from the /upload/ directory after execution. ↗
- ·The login step encodes the username in Base64 and hashes the password with SHA-256 before POST; network-level credential detection must account for this transformation rather than looking for plaintext credentials on the wire. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload
exploitdb·2017-11-13·CVSS 8.6
CVE-2017-16524 [HIGH] Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload
Web Viewer 1.0.0.193 (Samsung SRN-1670D) - Unrestricted File Upload
---
# Exploit Title: Unrestricted file upload vulnerability - Web Viewer 1.0.0.193 on Samsung SRN-1670D
# Date: 2017-06-19
# Exploit Author: Omar MEZRAG - 0xFFFFFF / www.realistic-security.com
# Vendor Homepage: https://www.hanwhasecurity.com
# Version: Web Viewer 1.0.0.193 on Samsung SRN-1670D
# Tested on: Web Viewer 1.0.0.193
# CVE : CVE-2017-16524
##
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'digest'
class MetasploitModule 'Samsung SRN-1670D - Web Viewer Version 1.0.0.193 Arbitrary File Read & Upload',
'Description' => %q{
This module exploits an Unrestricted file upload vulnerability in
Web View
Metasploit
Samsung SRN-1670D Web Viewer Version 1.0.0.193 Arbitrary File Read and Upload
metasploit·CVSS 8.6
[HIGH] Samsung SRN-1670D Web Viewer Version 1.0.0.193 Arbitrary File Read and Upload
Samsung SRN-1670D Web Viewer Version 1.0.0.193 Arbitrary File Read and Upload
This module exploits an unrestricted file upload vulnerability in Web Viewer 1.0.0.193 on Samsung SRN-1670D devices. The network_ssl_upload.php file allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing local file read vulnerability referenced by CVE-2015-8279, which allows remote attackers to read the web interface credentials by sending a request to: cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.
No writeups or analysis indexed.
2017-11-06
Published