CVE-2018-5997
published 2018-01-25CVE-2018-5997: An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.056. Due to an unrestricted upload feature and a path traversal vulnerability, it is…
PriorityP276critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.95%
97.6th percentile
An issue was discovered in the HTTP Server in RAVPower Filehub 2.000.056. Due to an unrestricted upload feature and a path traversal vulnerability, it is possible to upload a file on a filesystem with root privileges: this will lead to remote code execution as root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ravpower | filehub_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /upload.csp with a query parameter 'uploadpath' containing path traversal sequences (e.g., /etc, /etc/init.d) — this is the unrestricted upload endpoint exploited for root RCE. ↗
- →Alert on inbound Telnet connections to non-standard port 1111 on RAVPower Filehub devices, which indicates successful backdoor deployment via this exploit. ↗
- →Detect file uploads targeting sensitive system paths via the uploadpath parameter in POST requests to /upload.csp, particularly targeting /etc/passwd or /etc/init.d/vstfunc. ↗
- →Detect modification of /etc/rc.d/rc to append telnetd startup commands, which establishes persistence of the backdoor across reboots. ↗
- →Look for the presence of a known backdoored passwd hash for root ($1$YBm5LfCo$5OEwLPLUu085z5EoDpQz7/) being uploaded to /etc/passwd on the device. ↗
- ·The exploit targets RAVPower Filehub firmware version 2.000.056 specifically; the upload.csp path traversal and unrestricted upload may be patched in later firmware versions. ↗
- ·The exploit requires a triggering event (SD card removal/insertion or another device event) to cause /etc/init.d/vstfunc to be re-executed after the malicious file is uploaded. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-01-25
Published