CVE-2017-6526
published 2017-03-09CVE-2017-6526: An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected…
PriorityP277critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
57.40%
99.0th percentile
An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vulnerable to unauthenticated command execution through an improperly protected administrative web shell (cgi-bin/dna/sysAdmin.cgi POST requests).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnatools | dnalims | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on unauthenticated HTTP POST requests to cgi-bin/dna/sysAdmin.cgi — GET requests require authentication but POST requests bypass all authentication checks, enabling direct OS command execution as the web user. ↗
- →Monitor HTTP GET requests to viewAppletFsa.cgi with a seqID parameter containing null bytes or directory traversal sequences (e.g., '../') indicating exploitation of CVE-2017-6527 path traversal. ↗
- →Detect attempts to retrieve the cleartext password file via directory traversal targeting /home/dna/spool/.pfile through viewAppletFsa.cgi. ↗
- →Flag unauthenticated access to admin CGI pages (configuration.cgi, createCoInfo.cgi, configSystem.cgi, combineAcctsN.cgi) which should require authentication but are improperly protected. ↗
- →Detect session hijacking attempts against seqreq2N.cgi by monitoring for requests where the username parameter contains a guessed or sequential four-digit UID without a valid session identifier prefix. ↗
- ·The cleartext password storage is described as likely the default configuration, meaning most deployments are exposed to credential theft via directory traversal without any additional attacker effort. ↗
- ·The seqTableSS.cgi XSS vector is client/install-specific — the wildcard segment of the filename reflects a short name for the customer organization, so the vulnerable path varies per deployment. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting
exploitdb·2017-03-10·CVSS 9.8
CVE-2017-6529 [CRITICAL] dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting
dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting
---
Title: Multiple vulnerabilities discovered in dnaLIMS DNA sequencing
web-application
Advisory URL: https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
Date published: Mar 08, 2017
Vendor: dnaTools, Inc.
CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]
USCERT VU: 929263
Vulnerability Summaries
1) Improperly protected web shell [CVE-2017-6526]
dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is
a web shell included with the software running as the web user. However,
sending a POST request to that page bypasses authentication checks,
including the UID parameter within the POST request.
2) Unauthenticated Directory Traversal [CVE-2017-6527]
Metasploit
dnaLIMS Admin Module Command Execution
metasploit
dnaLIMS Admin Module Command Execution
dnaLIMS Admin Module Command Execution
This module utilizes an administrative module which allows for command execution. This page is completely unprotected from any authentication when given a POST request.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/96823https://www.exploit-db.com/exploits/41578/https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/http://www.securityfocus.com/bid/96823https://www.exploit-db.com/exploits/41578/https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
2017-03-09
Published