CVE-2017-17411
published 2017-12-21CVE-2017-17411: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit…
PriorityP192critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.93%
99.7th percentile
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges. Was ZDI-CAN-4892.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linksys | linksys_wvbr0 | — | — |
| linksys | wvbr0_firmware | < 1.0.41 | 1.0.41 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2017-17411 exploitation by inspecting HTTP User-Agent headers for shell metacharacters, specifically a leading double-quote followed by a semicolon (e.g., `";`), which is the injection delimiter used in all known exploits against the Linksys WVBR0-25 web management portal. ↗
- →Alert on HTTP GET requests to the root URI `/` of Linksys WVBR0-25 devices where the User-Agent header contains shell injection patterns such as `";` or `" #` (comment terminator), as used by both the standalone PoC and the Metasploit module. ↗
- →The Metasploit check phase injects a random 8-character alpha string via User-Agent and looks for its MD5 hash in the response body (`res.body.to_s.include?(Rex::Text.md5(check_str))`). Detecting an MD5 hex string in the HTTP response body of a device management page is a strong indicator of successful exploitation. ↗
- →Shodan/internet-scan pivot: devices exposing the string `Vendor:LINKSYS ModelName:WVBR0-25-US` are the target population for this vulnerability and can be used to scope detection or hunting. ↗
- →The vulnerable code path surfaces injected commands inside the response body under the key `config.webui sys_cmd`. Monitor or log responses from the device management portal for this string as evidence of active exploitation. ↗
- ·The vulnerability only affects Linksys WVBR0-25 firmware versions below 1.0.41 of the web management portal. Devices running 1.0.41 or later are not affected. ↗
- ·No authentication is required to exploit this vulnerability; the injection endpoint is exposed on the unauthenticated web management portal, meaning network-level access alone is sufficient for exploitation. ↗
- ·Successful exploitation yields code execution with root privileges, making post-exploitation impact maximal on affected devices. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xp6v-frx8-276h: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0
ghsa_unreviewed·2022-05-14
CVE-2017-17411 [CRITICAL] CWE-78 GHSA-xp6v-frx8-276h: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges. Was ZDI-CAN-4892.
VulnCheck
linksys wvbr0_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2017·CVSS 9.8
CVE-2017-17411 [CRITICAL] linksys wvbr0_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
linksys wvbr0_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges. Was ZDI-CAN-4892.
Affected: linksys wvbr0_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/n
No detection rules found.
Exploit-DB
Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)
exploitdb·2018-01-04
CVE-2017-17411 Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)
Linksys WVBR0-25 - User-Agent Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Linksys WVBR0-25 User-Agent Command Execution',
'Description' => %q{
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie
cable boxes to the Genie DVR, is vulnerable to OS command injection in version
[
'HeadlessZeke' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2017-17411'],
['ZDI', '17-973'],
['URL', 'https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair']
],
'DisclosureDate' => 'Dec 13 2017',
'Privileged' => true,
Exploit-DB
Linksys WVBR0 - 'User-Agent' Remote Command Injection
exploitdb·2017-12-14·CVSS 9.8
CVE-2017-17411 [CRITICAL] Linksys WVBR0 - 'User-Agent' Remote Command Injection
Linksys WVBR0 - 'User-Agent' Remote Command Injection
---
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Nixawk
# CVE-2017-17411
# Linksys WVBR0 25 Command Injection
"""
$ python2.7 exploit-CVE-2017-17411.py
[*] Usage: python exploit-CVE-2017-17411.py
$ python2.7 exploit-CVE-2017-17411.py http://example.com/
[+] Target is exploitable by CVE-2017-17411
"""
import requests
def check(url):
payload = '"; echo "admin'
md5hash = "456b7016a916a4b178dd72b947c152b7" # echo "admin" | md5sum
resp = send_http_request(url, payload)
if not resp:
return False
lines = resp.text.splitlines()
sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines)
if not any([payload in sys_cmd for sys_cmd in sys_cmds]):
return False
if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]):
return
Metasploit
Linksys WVBR0-25 User-Agent Command Execution
metasploit
Linksys WVBR0-25 User-Agent Command Execution
Linksys WVBR0-25 User-Agent Command Execution
The Linksys WVBR0-25 Wireless Video Bridge, used by DirecTV to connect wireless Genie cable boxes to the Genie DVR, is vulnerable to OS command injection in version < 1.0.41 of the web management portal via the User-Agent header. Authentication is not required to exploit this vulnerability.
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
http://www.securityfocus.com/bid/102212https://github.com/rapid7/metasploit-framework/pull/9336https://www.exploit-db.com/exploits/43363/https://www.exploit-db.com/exploits/43429/https://zerodayinitiative.com/advisories/ZDI-17-973http://www.securityfocus.com/bid/102212https://github.com/rapid7/metasploit-framework/pull/9336https://www.exploit-db.com/exploits/43363/https://www.exploit-db.com/exploits/43429/https://zerodayinitiative.com/advisories/ZDI-17-973
2017-12-21
Published
Exploited in the wild