cbcvebase.
CVE-2019-7267
published 2019-07-02

CVE-2019-7267: Linear eMerge 50P/5000P devices allow Cookie Path Traversal.

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
21.45%
97.3th percentile
Linear eMerge 50P/5000P devices allow Cookie Path Traversal.

Affected

2 ranges
VendorProductVersion rangeFixed in
nortekcontrollinear_emerge_5000p_firmware<= 4.6.07
nortekcontrollinear_emerge_50p_firmware<= 4.6.07

Detection & IOCsextracted from sources · hover to see the quote

cookie.sessionId=../web/upload/system/backup.upg
path/cgi-bin/websrunnings.cgi
path/cgi-bin/uplsysupdate.cgi
path/usr/local/s2/web/upload/system/backup.upg
path/usr/local/s2/web/upload/pics/shell.jpg
path/usr/local/s2/web/cgi-bin/websrunnings.cgi
url/goform/saveS2ConfVals
url/goform/restarts2Conf
url/person/upload/
url/frameset/
cookieCookie: sudo <command>
filenameshell.jpg
filenamebackup.upg
commandtimeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29
  • Detect path traversal in the Cookie header's sessionId value — look for '../' sequences in the .sessionId cookie field targeting session file paths outside the session directory.
  • Monitor for unauthenticated POST requests to /cgi-bin/uplsysupdate.cgi, which is the firmware upgrade upload endpoint exploited to upload arbitrary files without authentication.
  • Alert on HTTP requests to /cgi-bin/websrunnings.cgi — this CGI is created by the exploit as a backdoor web shell that executes OS commands passed via the Cookie header.
  • Detect command injection in the NTP timeserver configuration parameter: look for POST to /goform/saveS2ConfVals with shell metacharacters (e.g., URL-encoded '$(' or 'bash<') in the timeserver1 field.
  • Flag file uploads to /person/upload/ where the uploaded file has a .jpg extension but contains shell script content — the exploit disguises a shell script as shell.jpg.
  • Monitor for POST to /goform/restarts2Conf with changeNetwork=1, which triggers a device reboot as part of the exploit chain to execute the injected startup script.
  • The vulnerability allows a remote attacker to send a specially crafted HTTP request abusing the Cookie header value traversing to an arbitrary session file that bypasses authentication checks.
  • ·Affected versions are 4.6.07 (revision 79330) and prior; the exploit was specifically tested against version 4.6.07.
  • ·The exploit script was tested on macOS 10.13.6 and targets the device at a user-supplied URL; the webserver runs as root, meaning the shell.jpg payload and websrunnings.cgi backdoor execute with root privileges.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.