Published: 15/01/2016 Updated: 20/01/2016

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 8.6 | Impact Score: 4 | Exploitability Score: 3.9

VMScore: 580

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote malicious users to read arbitrary files via a request to an unspecified PHP script.

Vulnerable Product	Search on Vulmon	Subscribe to Product
samsung web viewer

Web Viewer version 100193 on Samsung SRN-1670D suffers from an unrestricted file upload vulnerability ...

This Metasploit module exploits an unrestricted file upload vulnerability in Web Viewer 100193 on Samsung SRN-1670D devices The network_ssl_uploadphp file allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a php extension, which is then accessed via a direct request to the file in the upload/ di ...

This module exploits an unrestricted file upload vulnerability in Web Viewer 100193 on Samsung SRN-1670D devices The network_ssl_uploadphp file allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a php extension, which is then accessed via a direct request to the f ...

This module exploits an unrestricted file upload vulnerability in Web Viewer 1.0.0.193 on Samsung SRN-1670D devices. The network_ssl_upload.php file allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing local file read vulnerability referenced by CVE-2015-8279, which allows remote attackers to read the web interface credentials by sending a request to: cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.

msf > use exploit/linux/http/samsung_srv_1670d_upload_exec
msf exploit(samsung_srv_1670d_upload_exec) > show targets
    ...targets...
msf exploit(samsung_srv_1670d_upload_exec) > set TARGET < target-id >
msf exploit(samsung_srv_1670d_upload_exec) > show options
    ...show and set options...
msf exploit(samsung_srv_1670d_upload_exec) > exploit

This module exploits an unrestricted file upload vulnerability in Web Viewer 1.0.0.193 on Samsung SRN-1670D devices. The network_ssl_upload.php file allows remote authenticated attackers to upload and execute arbitrary PHP code via a filename with a .php extension, which is then accessed via a direct request to the file in the upload/ directory. To authenticate for this attack, one can obtain web-interface credentials in cleartext by leveraging the existing local file read vulnerability referenced by CVE-2015-8279, which allows remote attackers to read the web interface credentials by sending a request to: cslog_export.php?path=/root/php_modules/lighttpd/sbin/userpw URI.

msf > use exploit/linux/http/samsung_srv_1670d_upload_exec
msf exploit(samsung_srv_1670d_upload_exec) > show targets
    ...targets...
msf exploit(samsung_srv_1670d_upload_exec) > set TARGET < target-id >
msf exploit(samsung_srv_1670d_upload_exec) > show options
    ...show and set options...
msf exploit(samsung_srv_1670d_upload_exec) > exploit

Unrestricted file upload vulnerability - Web Viewer 1.0.0.193 on Samsung SRN-1670D

CVE-2017-16524 Discovered by Omar Mezrag - 0xFFFFFF Affected Product Samsung Network Video Recorders - Web Viewer 100193 on Samsung SRN-1670D Vendor of Product Hanwha / Samsung Security - wwwhanwhasecuritycom/ Vulnerability type Unrestricted file upload vulnerability Attack Vector AccessVector (AV): Network User Interaction (UI): None Authentication (Au): Requires

CWE-264 https://www.kb.cert.org/vuls/id/913000 https://nvd.nist.gov https://github.com/realistic-security/CVE-2017-16524 https://www.kb.cert.org/vuls/id/913000

CVE-2015-8279

Vulnerability Summary

Exploits

Metasploit Modules

Github Repositories

References

Vulmon Search

About

Products

Connect