CVE-2017-5173
published 2017-05-19CVE-2017-5173: An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
29.58%
98.0th percentile
An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been identified. If special elements are not properly neutralized, an attacker can call multiple parameters that can allow access to the root level operating system which could allow remote code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geutebrueck | ip_camera_g-cam_efd-2250_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
ip|3a 20|eth0|20|1.1.1.1|3b|
- →Exploit is delivered via HTTP POST to the /uapi-cgi/viewer/testaction.cgi endpoint; the injection occurs in the 'ip' POST parameter using semicolon to chain OS commands (e.g., 'eth0 1.1.1.1;<payload>'). ↗
- →No authentication is required to exploit this vulnerability; the endpoint is accessible anonymously and executes commands with root privileges. ↗
- →This exploit has been observed in the wild as part of Mirai botnet variants targeting IoT devices; monitor for POST requests to /testaction.cgi with the header pattern 'ip: eth0 1.1.1.1;'.
- →Payload compatibility requires 'generic netcat bash' command types on a Unix/ARCH_CMD platform, indicating shell-based reverse/bind shell payloads are the expected attack vector. ↗
- ·The Snort/ET rules carry 'confidence Low' metadata, meaning they may produce false positives or miss variants that alter the injected IP address or interface name from the hardcoded 'eth0 1.1.1.1' pattern.
- ·The affected firmware version is specifically G-Cam/EFD-2250 Version 1.11.0.12; detections should be scoped to devices running this firmware version. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Geutebrück IP Cameras
cisa_ics·2017-02-14
Geutebrück IP Cameras
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Geutebrück IP Cameras
Last RevisedFebruary 14, 2017
Alert CodeICSA-17-045-02
## CVSS v3 9.8
ATTENTION: Remotely exploitable/low skill level to exploit
Vendor: Geutebrück
Equipment: IP Cameras
Vulnerabilities: Authentication Bypass and Improper Neutralization of Special Elements
## AFFECTED PRODUCTS
The following Geutebrück G-Cam IP camera version is affected:
- G-Cam/EFD-2250 Version 1.11.0.12
## IMPACT
Successful exploitation of these vulnerabilities could allow the attacker to bypass authentication and obtain remote anonymous access to the device; these vulnerabilities
GHSA
GHSA-34rc-844x-w698: An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1
ghsa_unreviewed·2022-05-13
CVE-2017-5173 [CRITICAL] CWE-78 GHSA-34rc-844x-w698: An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1
An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been identified. If special elements are not properly neutralized, an attacker can call multiple parameters that can allow access to the root level operating system which could allow remote code execution.
VulnCheck
geutebruck ip_camera_g-cam_efd-2250_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2017·CVSS 9.8
CVE-2017-5173 [CRITICAL] geutebruck ip_camera_g-cam_efd-2250_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
geutebruck ip_camera_g-cam_efd-2250_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An Improper Neutralization of Special Elements (in an OS command) issue was discovered in Geutebruck IP Camera G-Cam/EFD-2250 Version 1.11.0.12. An improper neutralization of special elements vulnerability has been identified. If special elements are not properly neutralized, an attacker can call multiple parameters that can allow access to the root level operating system which could allow remote code execution.
Affected: geutebruck ip_camera_g-cam_efd-2250_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://
Suricata
ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound
suricata·2019-06-11·CVSS 9.8
CVE-2017-5173 [CRITICAL] ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound
ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound
Rule: alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1
Suricata
ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound
suricata·2019-06-11·CVSS 9.8
CVE-2017-5173 [CRITICAL] ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound
ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T121
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
- CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geut
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant V3G4 Targets IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: February 15, 2023
Threat Research
Vulnerabilities
Botnet
IoT Vulnerability
Mirai variant
V3G4
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CV
2017-05-19
Published
Exploited in the wild