CVE-2017-16524 - OpenCVE

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hanwhasecurity	Web Viewer
Samsung	Srn-1670d

Configuration 1 [-]

AND

cpe:2.3:a:hanwhasecurity:web_viewer:1.0.0.193:*:*:*:*:*:*:*

cpe:2.3:h:samsung:srn-1670d:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/realistic-security/CVE-2017-16524
https://www.exploit-db.com/exploits/43138/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-11-06T08:00:00

Updated: 2024-08-05T20:27:03.694Z

Reserved: 2017-11-03T00:00:00

Link: CVE-2017-16524

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-11-06T08:29:00.220

Modified: 2017-11-29T14:57:17.200

Link: CVE-2017-16524

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-11-06T00:00:00", "descriptions": [{"lang": "en", "value": "Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-15T10:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "43138", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/43138/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/realistic-security/CVE-2017-16524"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-16524", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "43138", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/43138/"}, {"name": "https://github.com/realistic-security/CVE-2017-16524", "refsource": "MISC", "url": "https://github.com/realistic-security/CVE-2017-16524"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T20:27:03.694Z"}, "title": "CVE Program Container", "references": [{"name": "43138", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/43138/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/realistic-security/CVE-2017-16524"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-16524", "datePublished": "2017-11-06T08:00:00", "dateReserved": "2017-11-03T00:00:00", "dateUpdated": "2024-08-05T20:27:03.694Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hanwhasecurity:web_viewer:1.0.0.193:*:*:*:*:*:*:*", "matchCriteriaId": "6F3219C8-6C69-4B8F-92EB-B83C37C0D36C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:samsung:srn-1670d:-:*:*:*:*:*:*:*", "matchCriteriaId": "6911846A-7E2D-46CF-BDD3-E5502308136B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_upload.php' allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing Local File Read Vulnerability referenced as CVE-2015-8279, which allows remote attackers to read the web-interface credentials via a request for the cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI."}, {"lang": "es", "value": "Web Viewer 1.0.0.193 en dispositivos Samsung SRN-1670D sufre de una vulnerabilidad de subida de archivos sin restricci\u00f3n: \"network_ssl_upload.php\" permite que atacantes remotos autenticados suban y ejecuten c\u00f3digo PHP arbitrario mediante un nombre de archivo con extensi\u00f3n .php al cual se accede a trav\u00e9s de una petici\u00f3n directa al archivo en el directorio upload/. Para autenticarse para este ataque, se pueden obtener credenciales de la interfaz web en texto claro aprovechando la vulnerabilidad existente de lectura de archivos locales referenciada como CVE-2015-8279, lo que permite que atacantes remotos lean las credenciales de la interfaz web mediante una petici\u00f3n para la URI cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw."}], "id": "CVE-2017-16524", "lastModified": "2017-11-29T14:57:17.200", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-06T08:29:00.220", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/realistic-security/CVE-2017-16524"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/43138/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}