cbcvebase.
CVE-2017-17867
published 2018-01-04

CVE-2017-17867: Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated users to execute arbitrary OS commands by modifying the leasetrigger field in the odhcpd…

PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.07%
95.4th percentile
Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated users to execute arbitrary OS commands by modifying the leasetrigger field in the odhcpd configuration to specify an arbitrary program, as demonstrated by a program located on an SMB share. This issue existed because the /etc/uci-defaults directory was not being used to secure the OpenWrt configuration.

Affected

2 ranges
VendorProductVersion rangeFixed in
intenogroupiopsys
intenogroupiopsys2.0 – 3.14

Detection & IOCsextracted from sources · hover to see the quote

urlws://192.168.1.1
port8080
path/mnt/pwn.sh
path/etc/dropbear/authorized_keys
path/mnt/
filenamepwn.sh
filename.payload.tmp
otherssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ== rsa-key-20170427
commandsmbclient \\\\<host>\\pwned p -c 'put <payload> pwn.sh'
otherSec-WebSocket-Protocol: ubus-json
other00000000000000000000000000000000
  • Detect ubus JSON-RPC WebSocket authentication requests using the null session token (32 zeros) targeting the 'session/login' method — characteristic of the exploit's initial authentication step.
  • Monitor for UCI configuration changes setting 'leasetrigger' in the 'dhcp/odhcpd' config to a path under /mnt/ (SMB-mounted share), which is the core exploitation primitive.
  • Alert on creation of a Samba share named 'pwned' with guest_ok=yes and path=/mnt/ via ubus UCI calls — this is the staging step used to deliver the payload.
  • Monitor for rapid stop/start of the odhcpd service via juci.service ubus calls immediately after a leasetrigger configuration change — this is how the attacker triggers payload execution.
  • Detect WebSocket connections using the 'Sec-WebSocket-Protocol: ubus-json' header to port 80 or 8080 on Inteno iopsys devices, especially when followed by UCI set/commit calls.
  • Flag ubus calls to 'juci.system/reboot' immediately following UCI dhcp config commits — the exploit reboots the device to persist the malicious leasetrigger configuration.
  • ·The vulnerability exists specifically because /etc/uci-defaults was not used to secure the OpenWrt configuration, allowing authenticated users to arbitrarily modify odhcpd's leasetrigger field.
  • ·Exploitation requires remote authenticated access — the attacker must have valid credentials (e.g., default 'user'/'password') to the device's ubus WebSocket interface.
  • ·The payload is delivered via an SMB share mounted on the router itself (/mnt/), requiring the attacker to enable and write to a guest-accessible Samba share on the target device.
  • ·Affected versions are Inteno iopsys 2.0–3.14 and 4.0; the exploit targets the default gateway IP 192.168.1.1 and polls port 8080 for post-reboot availability.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.