CVE-2021-35064
published 2021-07-12CVE-2021-35064: KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
70.75%
99.3th percentile
KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/ajaxPages/writeBrowseFilePathAjax.php"; fast_pattern; http.request_body; content:"radioBtnVal="; content:"associateFileName="; reference:cve,2021-36356; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html; reference:url,write-up.github.io/kramerav/; reference:cve,2021-35064; classtype:attempted-admin; sid:2036738; rev:2; metadata:attack_target Server, created_at 2022_06_01, cve CVE_2021_35064_CVE_2021_36356, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect POST requests to /ajaxPages/writeBrowseFilePathAjax.php with both 'radioBtnVal=' and 'associateFileName=' in the request body — the core exploit primitive for arbitrary file write. ↗
- →The exploit writes a PHP webshell to /var/www/html/ via the associateFileName parameter; monitor for new .php file creation in the Apache web root on VIAware hosts. ↗
- →Post-exploitation RCE is achieved via 'sudo rpm --eval' Lua code execution; monitor for rpm processes spawned by the web server user (e.g., www-data) with '--eval' arguments. ↗
- →Privilege escalation abuses misconfigured sudoers allowing dangerous commands including unzip, systemctl, and dpkg; audit sudoers for these entries on VIAware appliances. ↗
- →FOFA fingerprint icon_hash="1521468900" can be used to identify internet-exposed Kramer VIAware instances for proactive scanning.
- →Nuclei detection canary: POST PHP payload <?php echo md5("CVE-2021-35064"); ?> to writeBrowseFilePathAjax.php and check response body for MD5 value 44f63b292601ec4ab0d8c3244c9f5ebe.
- →The ET OPEN Snort rule (sid:2036738) fires on POST to the exact 38-byte URI /ajaxPages/writeBrowseFilePathAjax.php with both exploit body parameters present; deploy on perimeter and internal sensors.
- ·The exploit uses HTTPS with certificate verification disabled (verify=False); TLS inspection is required on network sensors to detect this traffic in encrypted environments.
- ·The Nuclei template uses a randomised filename ({{randstr}}.php) for the dropped webshell, so static filename-based detection of 'test.php' alone will miss automated scanner activity.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qw8w-2g6w-j99h: KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo
ghsa_unreviewed·2022-05-24
CVE-2021-35064 [CRITICAL] CWE-269 GHSA-qw8w-2g6w-j99h: KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo
KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg.
VulnCheck
kramerav viaware Improper Privilege Management
vulncheck·2021·CVSS 9.8
CVE-2021-35064 [CRITICAL] kramerav viaware Improper Privilege Management
kramerav viaware Improper Privilege Management
KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg.
Affected: kramerav viaware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers
Exploit PoC: https://vulncheck.com/xdb/25ee6400e583
Suricata
ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)
suricata·2022-06-01·CVSS 9.8
CVE-2021-36356 [CRITICAL] ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)
ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/ajaxPages/writeBrowseFilePathAjax.php"; fast_pattern; http.request_body; content:"radioBtnVal="; content:"associateFileName="; reference:cve,2021-36356; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html; reference:url,write-up.github.io/kramerav/; reference:cve,2021-35064; classtype:attempted-admin;
Exploit-DB
Kramer VIAware - Remote Code Execution (RCE) (Root)
exploitdb·2022-04-07·CVSS 9.8
CVE-2021-36356 [CRITICAL] Kramer VIAware - Remote Code Execution (RCE) (Root)
Kramer VIAware - Remote Code Execution (RCE) (Root)
---
# Exploit Title: Remote Code Execution as Root on KRAMER VIAware
# Date: 31/03/2022
# Exploit Author: sharkmoos
# Vendor Homepage: https://www.kramerav.com/
# Software Link: https://www.kramerav.com/us/product/viaware
# Version: *
# Tested on: ViaWare Go (Linux)
# CVE : CVE-2021-35064, CVE-2021-36356
import sys, urllib3
from requests import get, post
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def writeFile(host):
headers = {
"Host": f"{host}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "text/html, */*",
"Accept-Language": "en-GB,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With
Nuclei
Kramer VIAware - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-36356 [CRITICAL] Kramer VIAware - Remote Code Execution
Kramer VIAware - Remote Code Execution
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
Template:
id: CVE-2021-36356
info:
name: Kramer VIAware - Remote Code Execution
author: gy741
severity: critical
description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
impact: |
Unauthenticated attackers can upload arbitrary PHP files to the web root, achieving remote code execution and complete server compromise.
remediation: |
Apply the latest firmware update provided by Kramer to fix the vulnerability and ensure proper input validation in the web int
Nuclei
Kramer VIAware - Privilege Escalation and Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-35064 [CRITICAL] Kramer VIAware - Privilege Escalation and Remote Code Execution
Kramer VIAware - Privilege Escalation and Remote Code Execution
Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interface is accessible, due to vulnerabilities in the handling of privileged operations through ajaxPages/writeBrowseFilePathAjax.php and improper sudoers configurations.
Template:
id: CVE-2021-35064
info:
name: Kramer VIAware - Privilege Escalation and Remote Code Execution
author: ritikchaddha
severity: critical
description: |
Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interf
No writeups or analysis indexed.
2021-07-12
Published
Exploited in the wild