CVE-2017-18377
published 2019-06-11CVE-2017-18377: An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.37%
92.8th percentile
An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable, as demonstrated by a set_ftp.cgi?svr=192.168.1.1&port=21&user=ftp URI.
Detection & IOCsextracted from sources · hover to see the quote
path/upgrade_handle.php?cmd=writeuploaddir&uploaddir=
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"; flow:established,to_server; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; startswith; reference:url,blogs.securiteam.com/index.php/archives/3409; reference:cve,CVE-2017-18377; classtype:attempted-recon; sid:2024914; rev:4; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_07;)
- →Monitor HTTP requests to set_ftp.cgi containing shell metacharacters in the 'pwd' variable, which is the injection point for command execution on Wireless IP Camera (P2P) WIFICAM devices. ↗
- →Detect inbound HTTP requests where the URI starts with /upgrade_handle.php?cmd=writeuploaddir&uploaddir= targeting IoT devices on the home network — this is the Netgear ReadyNAS Surveillance unauthenticated RCE vector.
- →The ET rule (sid:2024914) is classified as attempted-recon with Major severity and is recommended for Perimeter deployment against IoT targets.
- ·The CVE description references Wireless IP Camera (P2P) WIFICAM devices, but the ET Snort rule (sid:2024914) is attributed to Netgear ReadyNAS Surveillance — both share this CVE identifier, so ensure detection scope covers both device families.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jw73-g5p2-f7qc: An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras
ghsa_unreviewed·2022-05-24
CVE-2017-18377 [CRITICAL] CWE-77 GHSA-jw73-g5p2-f7qc: An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras
An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable, as demonstrated by a set_ftp.cgi?svr=192.168.1.1&port=21&user=ftp URI.
VulnCheck
goahead wireless_ip_camera_wificam_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2017·CVSS 9.8
CVE-2017-18377 [CRITICAL] goahead wireless_ip_camera_wificam_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
goahead wireless_ip_camera_wificam_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters in the pwd variable, as demonstrated by a set_ftp.cgi?svr=192.168.1.1&port=21&user=ftp URI.
Affected: goahead wireless_ip_camera_wificam_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.akamai.com/blog/security/latest-echobot-26-infection-vectors; https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://www.researchgate.net/publication/348602
Suricata
ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution
suricata·2017-10-25·CVSS 9.8
CVE-2017-18377 [CRITICAL] ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution
ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"; flow:established,to_server; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; startswith; reference:url,blogs.securiteam.com/index.php/archives/3409; reference:cve,CVE-2017-18377; classtype:attempted-recon; sid:2024914; rev:4; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_03_07;)
No public exploits indexed.
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
2019-06-11
Published
Exploited in the wild