CVE-2016-1524
published 2016-02-13CVE-2016-1524: Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java…
PriorityP183critical9.6CVSS 3.0
AVAACLPRNUINSCCHIHAH
EXPLOIT
EPSS
94.10%
99.8th percentile
Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | prosafe_network_management_software_300 | <= 1.5.0.11 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /data/config/image.do?method=add containing path traversal sequences (../../) in the realName parameter, indicating exploitation of CVE-2016-1524 arbitrary file download. ↗
- →Detect GET requests to /data/config/image.do?method=export&imageId= on port 8080, which is the final step to exfiltrate a file via the path traversal vulnerability. ↗
- →Detect POST requests to /data/getPage.do?method=getPageList&type=configImgManager, used by attackers to enumerate imageId values for subsequent file download exploitation. ↗
- ·CVE-2016-1524 (arbitrary file download) requires authentication, whereas the related CVE-2016-1525 (arbitrary file upload/RCE) does not. Detections for the download path should account for authenticated sessions. ↗
- ·Affected versions confirmed in testing are NMS300 1.5.0.11, 1.5.0.2, 1.4.0.17, and 1.1.0.13; scope detections accordingly. ↗
- ·NMS300 runs on Windows and the file download vulnerability allows retrieval of any file accessible to the SYSTEM user, making credential/config files high-value targets. ↗
- ·No fix was available at time of disclosure; vendor guidance was to not expose NMS300 to the Internet or untrusted networks. ↗
CVSS provenance
nvdv3.09.6CRITICALCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.08.3HIGHAV:A/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities
exploitdb·2016-02-04·CVSS 8.6
CVE-2016-1525 [HIGH] Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities
Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities
---
>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security (http://www.agileinfosec.co.uk/)
Disclosure: 04/02/2016 / Last updated: 04/02/2016
>> Background on the affected product:
"NMS300
ProSAFE® Network Management System
Diagnose, control, and optimize your network devices.
The NETGEAR Management System NMS300 delivers insight into network elements, including third-party devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network."
>> Summary:
Netgear's NMS300 is a network management utility that runs on Windows systems. It has seriou
Metasploit
NETGEAR ProSafe Network Management System 300 Authenticated File Download
metasploit
NETGEAR ProSafe Network Management System 300 Authenticated File Download
NETGEAR ProSafe Network Management System 300 Authenticated File Download
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an authenticated remote attacker to download any file in the system. This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/135618/Netgear-Pro-NMS-300-Code-Execution-File-Download.htmlhttp://seclists.org/fulldisclosure/2016/Feb/30http://www.kb.cert.org/vuls/id/777024http://www.securityfocus.com/archive/1/537446/100/0/threadedhttps://www.exploit-db.com/exploits/39412/http://packetstormsecurity.com/files/135618/Netgear-Pro-NMS-300-Code-Execution-File-Download.htmlhttp://seclists.org/fulldisclosure/2016/Feb/30http://www.kb.cert.org/vuls/id/777024http://www.securityfocus.com/archive/1/537446/100/0/threadedhttps://www.exploit-db.com/exploits/39412/
2016-02-13
Published