Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Samsung SRN-1670D Web Viewer Version 1.0.0.193 Arbitrary File Read and Upload

Disclosure Date: November 06, 2017
CVE-2017-16524
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: ‘network_ssl_upload.php’ allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.

Add Assessment

1
Technical Analysis

Details

The vulnerable code can be found in network_ssl_upload.php:

    22 $path = "./upload/";
    23 $file = $_FILES[ "attachFile" ];
    24 $isApply = ( int )$_POST[ "is_apply" ];
    25 $isInstall = ( int )$_POST[ "isInstall" ];
    26 $isCertFlag = ( int )$_POST[ "isCertFlag" ];
    27
    28 // create socket
    29 $N_message = "";
    30 $sock = mySocket_create($_is_unix_socket);
    31 $connected = mySocket_connect($_is_unix_socket, $sock);
    32
    33 $loginInfo = new loginInfo();
    34 $retLogin = loginManager( $connected, $sock, null, $loginInfo );
    35 if ( ( $retLogin == true ) && ( $isApply == 2 || $isApply == 3 ) ) {
    36  if ($connected) {
    37   $id = $loginInfo->get_id();
    38   $xmlFile = $id.'_config.xml';
    39   $N_message = "dummy".nvr_command::DELIM;
    40   $N_message .= "userid ".$id.nvr_command::DELIM;
    41
    42   if ( $isInstall == 1 ) {
    43    // File upload ===============================================================
    44    if ( $file[ "error" ] 0 ) {
    45     $Error = "Error: ".$file[ "error" ];
    46    } else {
    47     $retFile = @copy( $file[ "tmp_name" ], $path.$file[ "name" ] );
    48    }
    49    // ===========================================================================
    50   }

To avoid the need of authentication, the exploit also takes advantage of another vulnerability
(CVE-2015-8279) in the log exporting function to read an arbitrary file from the remote machine
in order to obtain credentials that can be used for the attack.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • hanwhasecurity

Products

  • web viewer 1.0.0.193

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis