cbcvebase.
CVE-2017-16806
published 2017-11-13

CVE-2017-16806: The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.

PriorityP275high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
91.50%
99.8th percentile
The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal.

Affected

2 ranges
VendorProductVersion rangeFixed in
ulteriusulterius_server
ulteriusulterius_server

Detection & IOCsextracted from sources · hover to see the quote

path/.../.../.../.../.../.../.../.../.../windows/win.ini
path/.../fileIndex.db
path/.../.../.../.../.../.../.../.../.../etc/passwd
port22006
filenamefileIndex.db
yara
regex: root:.*:0:0: OR \[(font|extension|file)s\]
  • Detect directory traversal attempts using the '...' (triple-dot) traversal sequence in HTTP GET request paths, which is the specific bypass used by this vulnerability instead of the standard '../' sequence.
  • Monitor HTTP GET requests to '/.../fileIndex.db' on Ulterius server ports; successful retrieval exposes a compressed index of every file on the system, enabling targeted follow-on file theft.
  • Alert on HTTP 200 responses from Ulterius server (default port 22006) where the response body matches '/etc/passwd' content (root:.*:0:0:) or Windows win.ini section headers ([(font|extension|file)s]).
  • The traversal path uses exactly nine '...' segments to escape to the filesystem root; signature-match on GET requests containing sequences of three or more consecutive '.../' path components targeting Ulterius server.
  • ·The traversal only works for files on the same drive letter as the Ulterius server installation; files on other drive letters are not reachable via this technique.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.