cbcvebase.
CVE-2017-16666
published 2018-01-05

CVE-2017-16666: Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this…

PriorityP277high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
80.10%
99.6th percentile
Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this issue can be exploited without authentication by leveraging the user registration feature.

Affected

1 ranges
VendorProductVersion rangeFixed in
xplicoxplico< 1.2.11.2.1

Detection & IOCsextracted from sources · hover to see the quote

port9876
path/users/register
path/sols/add
path/sols/pcap
commandfilename="`<payload>)`"
  • Detect unauthenticated GET requests to /users/register on TCP port 9876 — this hidden endpoint is abused to create accounts without prior authentication as the first step of exploitation.
  • Detect multipart file upload POST requests to /sols/pcap where the filename field contains backtick characters (`) indicating shell command injection in the PCAP filename.
  • The activation token (em_key) is computed as MD5(email + MD5(password) + unix_timestamp), making it predictable. Monitor for rapid sequential GET requests to /users/registerConfirm/<token> which may indicate token brute-forcing or pre-computation.
  • Alert on the full exploitation sequence: GET /users/register → POST /users/register → GET /users/registerConfirm/<hash> → POST /users/login → POST /pols/add → POST /sols/add → POST /sols/pcap, all originating from the same source IP on port 9876.
  • Xplico processes run as root; any shell spawned via this exploit will have root privileges. Monitor for unexpected child processes spawned by the Xplico web process.
  • ·The exploit payload is constrained to 252 bytes with bad characters 0x2F ('/') and 0x22 ('"'), and requires cmd payloads of type 'generic netcat gawk'. Detection rules should account for encoded/obfuscated payloads that avoid forward-slash and double-quote characters.
  • ·The activation email is unlikely to be delivered in most installations, but exploitation still succeeds because the em_key token is predictable (insecure PRNG). Do not rely on email delivery controls as a mitigation.
  • ·The check() method only verifies whether /users/register returns a 302 redirect (Safe) or an unexpected response (Unknown); it does not confirm exploitability without actually triggering the injection. A 'Safe' result may be a false negative if the endpoint behaves differently.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.