CVE-2017-16666: Xplico Unauthenticated Remote Code Execution
Xplico is a Network Forensic Analysis Tool (NFAT). The goal of Xplico is extracted from an internet traffic capture the application’s data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP, RTP), IRC, MSN…
Xplico is able to classify more than 140 (application) protocols. Xplico can be used as sniffer-decoder if used in “live mode” or in conjunction with netsniff-ng.
Remotely Exploitable: Yes
Authentication Required: NO
Vendor URL: www.xplico.org
CVSSv3 Score: 9.0 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U)
Date of found: 31 Oct 2017
Xplico released version 1.2.1
xplico_exec Metasploit module
This module exploits command injection vulnerability. Unauthenticated users can register a new account and then execute a terminal command under the context of the root user.
The specific flaw exists within the Xplico, which listens on TCP port 9876 by default. The goal of Xplico is extracted from an internet traffic capture the application’s data contained. There is a hidden end-point at an inside of the Xplico that allows anyone to create a new user. Once the user created through /users/register endpoint, it must be activated via activation e-mail. After the registration Xplico tries to send an e-mail that contains activation code. Unfortunately, this e-mail probably not gonna reach to the given e-mail address on most of the installation. But it’s possible to calculate exactly same token value because of insecure cryptographic random string generator function usage. One of the features of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico executes an operating system command in order to calculate the checksum of the file. Name of the for this operation is directly taken from user input and then used at the inside of the command without proper input validation.