CVE-2017-16666
published 2018-01-05CVE-2017-16666: Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this…
PriorityP277high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
80.10%
99.6th percentile
Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this issue can be exploited without authentication by leveraging the user registration feature.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xplico | xplico | < 1.2.1 | 1.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /users/register on TCP port 9876 — this hidden endpoint is abused to create accounts without prior authentication as the first step of exploitation. ↗
- →Detect multipart file upload POST requests to /sols/pcap where the filename field contains backtick characters (`) indicating shell command injection in the PCAP filename. ↗
- →The activation token (em_key) is computed as MD5(email + MD5(password) + unix_timestamp), making it predictable. Monitor for rapid sequential GET requests to /users/registerConfirm/<token> which may indicate token brute-forcing or pre-computation. ↗
- →Alert on the full exploitation sequence: GET /users/register → POST /users/register → GET /users/registerConfirm/<hash> → POST /users/login → POST /pols/add → POST /sols/add → POST /sols/pcap, all originating from the same source IP on port 9876. ↗
- →Xplico processes run as root; any shell spawned via this exploit will have root privileges. Monitor for unexpected child processes spawned by the Xplico web process. ↗
- ·The exploit payload is constrained to 252 bytes with bad characters 0x2F ('/') and 0x22 ('"'), and requires cmd payloads of type 'generic netcat gawk'. Detection rules should account for encoded/obfuscated payloads that avoid forward-slash and double-quote characters. ↗
- ·The activation email is unlikely to be delivered in most installations, but exploitation still succeeds because the em_key token is predictable (insecure PRNG). Do not rely on email delivery controls as a mitigation. ↗
- ·The check() method only verifies whether /users/register returns a 302 redirect (Safe) or an unexpected response (Unknown); it does not confirm exploitability without actually triggering the injection. A 'Safe' result may be a false negative if the endpoint behaves differently. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Xplico - Remote Code Execution (Metasploit)
exploitdb·2018-01-04
CVE-2017-16666 Xplico - Remote Code Execution (Metasploit)
Xplico - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Xplico Remote Code Execution',
'Description' => %q{
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal
command under the context of the root user.
The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet
traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create
a new user. Once the user created through /users/register endpoint, it must be activated via act
Metasploit
Xplico Remote Code Execution
metasploit
Xplico Remote Code Execution
Xplico Remote Code Execution
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user. The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extract from an internet traffic capture the applications data contained. There is a hidden end-point at inside of the Xplico that allow anyone to create a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico try to send e-mail that contains activation code. Unfortunetly, this e-mail probably not gonna reach to the given e-mail address on most of installation. But it's possible to calculate exact
No writeups or analysis indexed.
http://blog.securityonion.net/2017/11/security-advisory-for-xplico-120.htmlhttp://packetstormsecurity.com/files/145639/Xplico-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/xplico_exechttps://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666/https://www.exploit-db.com/exploits/43430/https://www.xplico.org/archives/1538http://blog.securityonion.net/2017/11/security-advisory-for-xplico-120.htmlhttp://packetstormsecurity.com/files/145639/Xplico-Remote-Code-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/xplico_exechttps://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666/https://www.exploit-db.com/exploits/43430/https://www.xplico.org/archives/1538
2018-01-05
Published