cbcvebase.
CVE-2017-9833
published 2017-06-24

CVE-2017-9833: /cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
67.73%
99.2th percentile
/cgi-bin/wapopen in Boa 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. NOTE: multiple third parties report that this is a system-integrator issue (e.g., a vulnerability on one type of camera) because Boa does not include any wapopen program or any code to read a FILECAMERA variable.

Affected

1 ranges
VendorProductVersion rangeFixed in
boaboa

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/passwd%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0
url/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0
path/cgi-bin/wapopen
  • Detect path traversal attempts targeting the FILECAMERA GET parameter in requests to /cgi-bin/wapopen, specifically looking for '../..' sequences and null byte (%00) termination.
  • Alert on HTTP GET requests to /cgi-bin/wapopen containing FILECAMERA=../../etc/passwd%00 or FILECAMERA=../../etc/shadow%00 in the query string.
  • A successful exploitation response will contain the string matching 'root:[x*]:0:0' (passwd/shadow file content) with HTTP 200 status.
  • ·This vulnerability is a system-integrator issue specific to camera firmware that bundles the wapopen CGI script with Boa; the Boa web server itself does not include wapopen or handle the FILECAMERA variable natively.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.