CVE-2017-17867
published 2018-01-04CVE-2017-17867: Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated users to execute arbitrary OS commands by modifying the leasetrigger field in the odhcpd…
PriorityP264high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
11.07%
95.4th percentile
Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated users to execute arbitrary OS commands by modifying the leasetrigger field in the odhcpd configuration to specify an arbitrary program, as demonstrated by a program located on an SMB share. This issue existed because the /etc/uci-defaults directory was not being used to secure the OpenWrt configuration.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intenogroup | iopsys | — | — |
| intenogroup | iopsys | 2.0 – 3.14 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ== rsa-key-20170427↗
- →Detect ubus JSON-RPC WebSocket authentication requests using the null session token (32 zeros) targeting the 'session/login' method — characteristic of the exploit's initial authentication step. ↗
- →Monitor for UCI configuration changes setting 'leasetrigger' in the 'dhcp/odhcpd' config to a path under /mnt/ (SMB-mounted share), which is the core exploitation primitive. ↗
- →Alert on creation of a Samba share named 'pwned' with guest_ok=yes and path=/mnt/ via ubus UCI calls — this is the staging step used to deliver the payload. ↗
- →Monitor for rapid stop/start of the odhcpd service via juci.service ubus calls immediately after a leasetrigger configuration change — this is how the attacker triggers payload execution. ↗
- →Detect WebSocket connections using the 'Sec-WebSocket-Protocol: ubus-json' header to port 80 or 8080 on Inteno iopsys devices, especially when followed by UCI set/commit calls. ↗
- →Flag ubus calls to 'juci.system/reboot' immediately following UCI dhcp config commits — the exploit reboots the device to persist the malicious leasetrigger configuration. ↗
- ·The vulnerability exists specifically because /etc/uci-defaults was not used to secure the OpenWrt configuration, allowing authenticated users to arbitrarily modify odhcpd's leasetrigger field. ↗
- ·Exploitation requires remote authenticated access — the attacker must have valid credentials (e.g., default 'user'/'password') to the device's ubus WebSocket interface. ↗
- ·The payload is delivered via an SMB share mounted on the router itself (/mnt/), requiring the attacker to enable and write to a guest-accessible Samba share on the target device. ↗
- ·Affected versions are Inteno iopsys 2.0–3.14 and 4.0; the exploit targets the default gateway IP 192.168.1.1 and polls port 8080 for post-reboot availability. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://public.inteno.se/?p=feed-inteno-openwrt.git%3Ba=commit%3Bh=efcc985a721107e72a66da4db66891ec54441998https://neonsea.uk/blog/2017/12/23/rce-inteno-iopsys.htmlhttps://www.exploit-db.com/exploits/43428/http://public.inteno.se/?p=feed-inteno-openwrt.git%3Ba=commit%3Bh=efcc985a721107e72a66da4db66891ec54441998https://neonsea.uk/blog/2017/12/23/rce-inteno-iopsys.htmlhttps://www.exploit-db.com/exploits/43428/
2018-01-04
Published