CVE-2017-16921
published 2017-12-08CVE-2017-16921: In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS…
PriorityP272high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.90%
97.1th percentile
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | otrs2 | < otrs2 6.0.2-1 (bullseye) | otrs2 6.0.2-1 (bullseye) |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
| otrs | otrs | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on GET requests to /index.pl?Action=AdminPGP immediately following a SysConfig PGP update — this is the trigger step that executes the injected shell command. ↗
- →Detect PGP::Bin being set to any value other than a known gpg binary path (e.g., /usr/bin/gpg), particularly interpreters like /usr/bin/python, /bin/bash, etc. ↗
- →Detect PGP::Options containing shell metacharacters or Python/subprocess reverse shell patterns (e.g., 'import socket', 'subprocess.call', '/bin/sh -i'). ↗
- →Look for the ChallengeToken scraping pattern: a GET to the AdminSysConfig PGP edit page followed immediately by a POST to the same endpoint — indicative of automated exploit tooling. ↗
- →Monitor for OTRS web server process (e.g., apache user) spawning unexpected child processes such as python or /bin/sh with -i flag, which indicates successful RCE. ↗
- ·The exploit requires the attacker to already be authenticated as an OTRS agent — unauthenticated exploitation is not possible. Detection should focus on authenticated agent sessions performing admin-level SysConfig changes. ↗
- ·The exploit can be repeated unlimited times by re-triggering /index.pl?Action=AdminPGP after the malicious PGP::Bin/PGP::Options config is saved — a single config change enables persistent re-exploitation. ↗
- ·Manual cleanup of the PGP SysConfig options is required after exploitation; the malicious settings persist in the admin panel until manually reverted. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2017-16921: otrs2 - In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, ...
vendor_debian·2017·CVSS 8.8
CVE-2017-16921 [HIGH] CVE-2017-16921: otrs2 - In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, ...
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
Scope: local
bullseye: resolved (fixed in 6.0.2-1)
GHSA
GHSA-x9qc-g4w7-x2hf: In OTRS 6
ghsa_unreviewed·2022-05-13
CVE-2017-16921 [HIGH] CWE-78 GHSA-x9qc-g4w7-x2hf: In OTRS 6
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
OSV
CVE-2017-16921: In OTRS 6
osv·2017-12-08·CVSS 8.8
CVE-2017-16921 [HIGH] CVE-2017-16921: In OTRS 6
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user.
No detection rules found.
Exploit-DB
OTRS 6.0.1 - Remote Command Execution (2)
exploitdb·2021-04-22·CVSS 8.8
CVE-2017-16921 [HIGH] OTRS 6.0.1 - Remote Command Execution (2)
OTRS 6.0.1 - Remote Command Execution (2)
---
# Exploit Title: OTRS 6.0.1 - Remote Command Execution (2)
# Date: 21-04-2021
# Exploit Author: Hex_26
# Vendor Homepage: https://www.otrs.com/
# Software Link: http://ftp.otrs.org/pub/otrs/
# Version: 4.0.1 - 4.0.26, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1
# Tested on: OTRS 5.0.2/CentOS 7.2.1511
# CVE : CVE-2017-16921
#!/usr/bin/env python3
"""
Designed after https://www.exploit-db.com/exploits/43853.
Runs a python reverse shell on the target with the preconfigured options.
This script does not start a listener for you. Run one on your own with netcat or another similar tool
By default, this script will launch a python reverse shell one liner with no cleanup. Manual cleanup needs to be done for the PGP options in the admin panel if you wish to pres
Exploit-DB
OTRS 5.0.x/6.0.x - Remote Command Execution (1)
exploitdb·2018-01-21·CVSS 8.8
CVE-2017-16921 [HIGH] OTRS 5.0.x/6.0.x - Remote Command Execution (1)
OTRS 5.0.x/6.0.x - Remote Command Execution (1)
---
# Exploit Title: OTRS 5.0.x/6.0.x - Remote Command Execution (1)
# Date: 21-01-2018
# Exploit Author: Bæln0rn
# Vendor Homepage: https://www.otrs.com/
# Software Link: http://ftp.otrs.org/pub/otrs/
# Version: 4.0.1 - 4.0.26, 5.0.0 - 5.0.24, 6.0.0 - 6.0.1
# Tested on: OTRS 5.0.2/CentOS 7.2.1511
# CVE : CVE-2017-16921
CVE-2017-16921:
"In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.26, an attacker who is logged into OTRS as an agent can manipulate form parameters (related to PGP) and execute arbitrary shell commands with the permissions of the OTRS or web server user."
OTRS 5.0.2 PoC:
1. Authenticate to an agent account. /index.pl
2. Open "Admin" tab. /index.pl?Acti
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162295/OTRS-6.0.1-Remote-Command-Execution.htmlhttps://lists.debian.org/debian-lts-announce/2017/12/msg00015.htmlhttps://www.debian.org/security/2017/dsa-4066https://www.exploit-db.com/exploits/43853/https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/http://packetstormsecurity.com/files/162295/OTRS-6.0.1-Remote-Command-Execution.htmlhttps://lists.debian.org/debian-lts-announce/2017/12/msg00015.htmlhttps://www.debian.org/security/2017/dsa-4066https://www.exploit-db.com/exploits/43853/https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/
2017-12-08
Published