Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities
Informations
Name VU#777024 First vendor Publication 2016-02-03
Vendor VU-CERT Last vendor Modification 2016-02-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 8.3 Attack Range Adjacent network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 6.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#777024

Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities

Original Release date: 03 Feb 2016 | Last revised: 04 Feb 2016

Overview

Netgear Management System NMS300, version 1.5.0.11 and earlier, is vulnerable to arbitrary file upload, which may be leveraged by unauthenticated users to execute arbitrary code with SYSTEM privileges. A directory traversal vulnerability enables authenticated users to download arbitrary files.

Description

Netgear Management System NMS300 is a configuration, monitoring, and diagnostics utility for managing SNMP networked devices via a web interface.

CWE-434: Unrestricted Upload of File with Dangerous Type - CVE-2016-1524

Default installations of NMS300 operate two Java servlets, http://<IP>:8080/fileUpload.do and http://<IP>:8080/lib-1.0/external/flash/fileUpload.do, that can be accessed by unauthenticated users. By sending a specially crafted POST request to the servlets, an attacker can upload arbitrary files that will then be accessible from the NMS300 server's root directory as http://<IP>:8080/null<filename>. The NMS300 server runs with SYSTEM privileges.

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - CVE-2016-1525

NMS300 contains a directory traversal vulnerability. An authenticated attacker can manipulate the realName parameter of a crafted POST request sent to http://<IP>:8080/data/config/image.do?method=add to load an arbitrary local file from the server host to a predictable location in the web service. The file can then be downloaded from http://<IP>:8080/data/config/image.do?method=export&imageId=<ID>, where <ID> is a count that increments by one every time a file is uploaded in this manner.

For more information, refer to Pedro Ribeiro's disclosure. The CVSS score describes CVE-2016-1524.

Impact

An unauthenticated attacker on the network can upload arbitrary files to the server's root web directory, leading to data creation and arbitrary code execution with SYSTEM privileges. An authenticated attacker on the network can access any file on the server host.

Solution

The CERT/CC is currently unaware of a practical solution to this problem and recommends the following workaround.

Restrict access

Enable firewall rules to restrict untrusted sources from accessing the web management interface.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Netgear, Inc.Affected04 Dec 201525 Jan 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.3AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal7.5E:POC/RL:U/RC:C
Environmental5.6CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://downloadcenter.netgear.com/en/product/NMS300#
  • https://cwe.mitre.org/data/definitions/434.html
  • https://cwe.mitre.org/data/definitions/22.html
  • http://seclists.org/fulldisclosure/2016/Feb/30

Credit

Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2016-1524CVE-2016-1525
  • Date Public:03 Feb 2016
  • Date First Published:03 Feb 2016
  • Date Last Updated:04 Feb 2016
  • Document Revision:21

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/777024

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Snort® IPS/IDS

Date Description
2016-04-07 Netgear ProSafe NMS image.do directory traversal attempt
RuleID : 38132 - Revision : 2 - Type : SERVER-WEBAPP
2016-04-07 Netgear ProSafe NMS image.do directory traversal attempt
RuleID : 38131 - Revision : 2 - Type : SERVER-WEBAPP
2016-04-05 Netgear ProSafe NMS arbitrary JSP file upload attempt
RuleID : 37890 - Revision : 2 - Type : SERVER-WEBAPP

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
Date Informations
2020-05-23 13:17:16
  • Multiple Updates
2016-03-21 17:27:52
  • Multiple Updates
2016-03-11 00:29:13
  • Multiple Updates
2016-02-26 21:25:31
  • Multiple Updates
2016-02-26 17:28:36
  • Multiple Updates
2016-02-13 09:29:07
  • Multiple Updates
2016-02-04 21:30:02
  • Multiple Updates
2016-02-04 21:24:46
  • Multiple Updates
2016-02-03 21:31:28
  • Multiple Updates
2016-02-03 21:25:12
  • First insertion