CVE-2017-16934
published 2017-11-24CVE-2017-16934: The web server on DBL DBLTek devices allows remote attackers to execute arbitrary OS commands by obtaining the admin password via a…
PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.46%
96.0th percentile
The web server on DBL DBLTek devices allows remote attackers to execute arbitrary OS commands by obtaining the admin password via a frame.html?content=/dev/mtdblock/5 request, and then using this password for the HTTP Basic Authentication needed for a change_password.csp request, which supports a "<%%25call system.exec:" string in the passwd parameter.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect LFI exploitation attempt: HTTP GET requests containing 'content=/dev/mtdblock/5' in the query string targeting frame.html, which leaks the device configuration including admin credentials. ↗
- →Detect RCE exploitation attempt: HTTP POST requests to change_password.csp with a passwd parameter containing the '<%' or 'call system.exec:' injection string. ↗
- →Detect chained attack: HTTP Basic Authentication header ('Authorization: Basic') on POST requests to change_password.csp immediately following a GET to frame.html?content=/dev/mtdblock/5 from the same source IP. ↗
- →Detect payload staging: HTTP GET requests for a path named '/prism' served from an attacker-controlled HTTP server, used to deliver an ARM v5l binary implant to the target device. ↗
- →Detect post-exploitation: presence of telnetd spawned by busybox on port 23 with /bin/sh as the login shell on DBLTek GoIP devices. ↗
- →Monitor for the variable 'ADMIN_PASSWORD' being extracted via regex from the mtdblock/5 configuration dump, indicating credential harvesting from the device flash. ↗
- ·DblTek has released patches addressing both vulnerabilities; detection rules should still fire on unpatched devices or exploitation attempts against them. ↗
- ·The embedded ARM v5l binary payload ('PRISM') has its C2 host and port patched in at offsets 0x7810 and 0x7820 respectively at runtime, meaning the binary hash will differ per attacker infrastructure. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-11-24
Published