CVE-2017-16666 : Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name

Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. NOTE: this issue can be exploited without authentication by leveraging the user registration feature.

Published 2018-01-05 16:29:00

Updated 2019-10-03 00:03:26

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2017-16666

Probability of exploitation activity in the next 30 days: 43.68%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 97 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2017-16666

Xplico Remote Code Execution

Disclosure Date: 2017-10-29

First seen: 2020-04-26

exploit/linux/http/xplico_exec

This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user. The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of

More information

CVSS scores for CVE-2017-16666

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-16666

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-16666

http://www.rapid7.com/db/modules/exploit/linux/http/xplico_exec

Xplico Remote Code Execution | Rapid7
Exploit;Third Party Advisory
https://www.xplico.org/archives/1538

Xplico – Xpico 1.2.1: Xplico vulnerability
Vendor Advisory
https://pentest.blog/advisory-xplico-unauthenticated-remote-code-execution-cve-2017-16666/

Advisory | Xplico Unauthenticated Remote Code Execution CVE-2017-16666 – Pentest Blog
Exploit;Third Party Advisory
http://blog.securityonion.net/2017/11/security-advisory-for-xplico-120.html

Security Onion: Security Advisory for Xplico 1.2.0
Third Party Advisory
https://www.exploit-db.com/exploits/43430/

Xplico - Remote Code Execution (Metasploit)
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/145639/Xplico-Remote-Code-Execution.html

Xplico Remote Code Execution ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry

Products affected by CVE-2017-16666

Xplico » Xplico
Versions before (<) 1.2.1
cpe:2.3:a:xplico:xplico:*:*:*:*:*:*:*:*
Matching versions