""ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC M1 (CVE-2019-16662)""

SID: 2028933

Revision: 3

Class Type: attempted-admin

Metadata: affected_product Web_Server_Applications, attack_target Server, created_at 2019_11_04, cve CVE_2019_16662, deployment Perimeter, signature_severity Major, updated_at 2021_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application

Reference:

• cve

• 2019-16662

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: [$HOME_NET,$HTTP_SERVERS]

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3B"

• Value: "/ajaxServerSettingsChk.php?rootUname="

Within:

PCRE:

Special Options:

• http_raw_uri

• nocase

• http_uri

• fast_pattern

source