cbcvebase.
CVE-2021-36356
published 2021-08-31

CVE-2021-36356: KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
54.39%
98.9th percentile
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124.

Affected

1 ranges
VendorProductVersion rangeFixed in
krameravviaware<= 2021-08

Detection & IOCsextracted from sources · hover to see the quote

url/ajaxPages/writeBrowseFilePathAjax.php
path/var/www/html/test.php
url/test.php?cmd=sudo rpm --eval '%{lua:os.execute("<cmd>")}'
commandsudo rpm --eval '%{lua:os.execute("<cmd>")}'
otherradioBtnVal=%3C%3Fphp+echo+md5%28%22CVE-2021-35064%22%29%3B+%3F%3E&associateFileName=%2Fvar%2Fwww%2Fhtml%2F{{randstr}}.php
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/ajaxPages/writeBrowseFilePathAjax.php"; fast_pattern; http.request_body; content:"radioBtnVal="; content:"associateFileName="; reference:cve,2021-36356; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html; reference:url,write-up.github.io/kramerav/; reference:cve,2021-35064; classtype:attempted-admin; sid:2036738; rev:2; metadata:attack_target Server, created_at 2022_06_01, cve CVE_2021_35064_CVE_2021_36356, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Detect POST requests to /ajaxPages/writeBrowseFilePathAjax.php with both 'radioBtnVal=' and 'associateFileName=' in the request body — this is the core exploit primitive for arbitrary file write.
  • The exploit writes a PHP webshell to /var/www/html/ (e.g., test.php) via the associateFileName parameter; monitor for new .php files appearing in the Apache web root on VIAware appliances.
  • Post-exploitation command execution is achieved via 'sudo rpm --eval' with embedded Lua os.execute calls; monitor for rpm processes spawned by the web server user with --eval arguments.
  • The Nuclei template uses the MD5 hash '44f63b292601ec4ab0d8c3244c9f5ebe' (md5 of 'CVE-2021-35064') as a canary in the webshell response body to confirm successful exploitation; alert on this string in HTTP responses from VIAware hosts.
  • The exploit URI for the exact vulnerable endpoint has a fixed byte size of 38 characters (/ajaxPages/writeBrowseFilePathAjax.php); use bsize matching in network signatures to reduce false positives.
  • ·CVE-2021-36356 is an incomplete fix for CVE-2019-17124; the GUI entry point (browseSystemFiles.php) was removed but the underlying writable endpoint (writeBrowseFilePathAjax.php) remained accessible and unauthenticated.
  • ·The exploit is unauthenticated and requires no prior access; the POST to writeBrowseFilePathAjax.php is directly reachable over HTTPS without credentials.
  • ·The Snort/ET rule targets both CVE-2021-35064 and CVE-2021-36356 in a single signature (sid:2036738); defenders should be aware that a single alert may correspond to either CVE being exploited.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.