cbcvebase.
CVE-2018-5997
published 2018-01-25

CVE-2018-5997: An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.056. Due to an unrestricted upload feature and a path traversal vulnerability, it is…

PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.95%
97.6th percentile
An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.056. Due to an unrestricted upload feature and a path traversal vulnerability, it is possible to upload a file on a filesystem with root privileges: this will lead to remote code execution as root.

Affected

1 ranges
VendorProductVersion rangeFixed in
ravpowerfilehub_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<host>:80/upload.csp?uploadpath=/etc&file=1515865637281
path/upload.csp
path/etc/passwd
path/etc/init.d/vstfunc
path/etc/rc.d/rc
command/usr/sbin/telnetd -p 1111 &
command/usr/sbin/telnetd &
port1111
command/usr/sbin/etc_tools p
  • Monitor HTTP POST requests to /upload.csp with a query parameter 'uploadpath' containing path traversal sequences (e.g., /etc, /etc/init.d) — this is the unrestricted upload endpoint exploited for root RCE.
  • Alert on inbound Telnet connections to non-standard port 1111 on RAVPower Filehub devices, which indicates successful backdoor deployment via this exploit.
  • Detect file uploads targeting sensitive system paths via the uploadpath parameter in POST requests to /upload.csp, particularly targeting /etc/passwd or /etc/init.d/vstfunc.
  • Detect modification of /etc/rc.d/rc to append telnetd startup commands, which establishes persistence of the backdoor across reboots.
  • Look for the presence of a known backdoored passwd hash for root ($1$YBm5LfCo$5OEwLPLUu085z5EoDpQz7/) being uploaded to /etc/passwd on the device.
  • ·The exploit targets RAVPower Filehub firmware version 2.000.056 specifically; the upload.csp path traversal and unrestricted upload may be patched in later firmware versions.
  • ·The exploit requires a triggering event (SD card removal/insertion or another device event) to cause /etc/init.d/vstfunc to be re-executed after the malicious file is uploaded.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.