CVE-2021-3317
published 2021-01-26CVE-2021-3317: KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
41.39%
98.5th percentile
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| klogserver | klog_server | <= 2.4.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/async.php?action="; content:"&source=|3b|"; fast_pattern; reference:cve,2021-3317; classtype:attempted-admin; sid:2032638; rev:1; metadata:attack_target Server, created_at 2021_04_09, cve CVE_2021_3317, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
bytes
&source=|3b|
- →Monitor HTTP requests to /actions/async.php where the 'source' query parameter contains a semicolon (URL-encoded as %3b or |3b|), indicating shell command injection attempts. ↗
- →The exploit performs a POST to /actions/authenticate.php for login (HTTP 302 redirect on success), followed immediately by a GET to /actions/async.php?action=stream&source=;<cmd>;. Correlate these two sequential requests from the same source IP as a strong exploitation signal. ↗
- →The Snort/Suricata rule (ET SID 2032638) triggers on HTTP POST to URIs matching /async.php?action= with &source=|3b| (semicolon byte). Deploy or tune this rule on perimeter and internal sensors.
- →The injected command runs as uid=48(apache) gid=48(apache). Alert on apache-owned processes spawning unexpected child processes (e.g., /bin/sh, id, whoami) as a host-based detection signal. ↗
- ·Exploitation requires prior authentication; the attacker must supply valid credentials before injecting commands via the source parameter. ↗
- ·The PoC uses allow_redirects=False and verify=False (TLS verification disabled), meaning the server may be using a self-signed certificate; detection rules should cover both HTTP and HTTPS traffic. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)
suricata·2021-04-09·CVSS 8.8
CVE-2021-3317 [HIGH] ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)
ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/async.php?action="; content:"&source=|3b|"; fast_pattern; reference:cve,2021-3317; classtype:attempted-admin; sid:2032638; rev:1; metadata:attack_target Server, created_at 2021_04_09, cve CVE_2021_3317, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_04_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161208/Klog-Server-2.4.1-Command-Injection.htmlhttps://docs.unsafe-inline.com/0day/klog-server-authenticated-command-injectionhttp://packetstormsecurity.com/files/161208/Klog-Server-2.4.1-Command-Injection.htmlhttps://docs.unsafe-inline.com/0day/klog-server-authenticated-command-injection
2021-01-26
Published