CVE-2016-1525
published 2016-02-13CVE-2016-1525: Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read…
PriorityP272high8.6CVSS 3.0
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
75.01%
99.4th percentile
Directory traversal vulnerability in data/config/image.do in NETGEAR Management System NMS300 1.5.0.11 and earlier allows remote authenticated users to read arbitrary files via a .. (dot dot) in the realName parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | prosafe_network_management_software_300 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /lib-1.0/external/flash/fileUpload.do or /fileUpload.do with multipart/form-data content containing a .jsp filename — indicates arbitrary JSP file upload exploitation attempt. ↗
- →Uploaded JSP webshells will be accessible at the web root with a 'null' prefix in the filename (e.g., /null<name>.jsp). Monitor HTTP GET requests matching the pattern /null*.jsp on port 8080. ↗
- →Detect POST requests to /data/config/image.do?method=add containing dot-dot sequences (../) in the realName parameter — indicates directory traversal / arbitrary file download exploitation (CVE-2016-1524). ↗
- →A GET request to /fileUpload.do returning HTTP 405 is used by the Metasploit module as a check to confirm the target is a vulnerable NMS300 instance. ↗
- ·The file upload vulnerability (CVE-2016-1525) is unauthenticated; the directory traversal / file download vulnerability (CVE-2016-1524) requires authentication. These are two distinct vulnerabilities often chained together. ↗
- ·Affected versions confirmed in exploit PoC are NMS300 1.5.0.11, 1.5.0.2, 1.4.0.17, and 1.1.0.13. The Metasploit module also tested against 1.7.0.12 and 1.7.0.1. ↗
- ·The NMS300 application runs on Windows and the uploaded JSP payload executes as the SYSTEM user, meaning successful exploitation yields full system compromise. ↗
CVSS provenance
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Netgear NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit)
exploitdb·2016-03-01
CVE-2016-1525 Netgear NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit)
Netgear NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload',
'Description' => %q{
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
The application has a file upload vulnerability that can be exploited by an
unauthenticated remote attacker to execute code as the SYSTEM user.
Two servlets are vulnerable, FileUploadController (located at
/lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).
This module exploits the latter, and has been tested
Exploit-DB
Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities
exploitdb·2016-02-04·CVSS 8.6
CVE-2016-1525 [HIGH] Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities
Netgear NMS300 ProSafe Network Management System - Multiple Vulnerabilities
---
>> Remote code execution / arbitrary file download in NETGEAR ProSafe Network Management System NMS300
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security (http://www.agileinfosec.co.uk/)
Disclosure: 04/02/2016 / Last updated: 04/02/2016
>> Background on the affected product:
"NMS300
ProSAFE® Network Management System
Diagnose, control, and optimize your network devices.
The NETGEAR Management System NMS300 delivers insight into network elements, including third-party devices. An intuitive, web-based user interface makes it easier to monitor and administer an entire network."
>> Summary:
Netgear's NMS300 is a network management utility that runs on Windows systems. It has seriou
Metasploit
NETGEAR ProSafe Network Management System 300 Arbitrary File Upload
metasploit
NETGEAR ProSafe Network Management System 300 Arbitrary File Upload
NETGEAR ProSafe Network Management System 300 Arbitrary File Upload
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has multiple vulnerabilities that can allow an unauthenticated remote attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass, SQL injection, arbitrary file upload, and privilege escalation across various versions. This module is able to spawn a meterpreter session by chaining together two specific vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes. This module has been tested with versions 1.5.0.2, 1.4.0.17, 1.1.0.13, 1.7.0.12, and 1.7.0.1.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/135618/Netgear-Pro-NMS-300-Code-Execution-File-Download.htmlhttp://packetstormsecurity.com/files/135999/NETGEAR-ProSafe-Network-Management-System-300-Arbitrary-File-Upload.htmlhttp://seclists.org/fulldisclosure/2016/Feb/30http://www.kb.cert.org/vuls/id/777024http://www.rapid7.com/db/modules/exploit/windows/http/netgear_nms_rcehttp://www.securityfocus.com/archive/1/537446/100/0/threadedhttps://www.exploit-db.com/exploits/39412/https://www.exploit-db.com/exploits/39515/http://packetstormsecurity.com/files/135618/Netgear-Pro-NMS-300-Code-Execution-File-Download.htmlhttp://packetstormsecurity.com/files/135999/NETGEAR-ProSafe-Network-Management-System-300-Arbitrary-File-Upload.htmlhttp://seclists.org/fulldisclosure/2016/Feb/30http://www.kb.cert.org/vuls/id/777024http://www.rapid7.com/db/modules/exploit/windows/http/netgear_nms_rcehttp://www.securityfocus.com/archive/1/537446/100/0/threadedhttps://www.exploit-db.com/exploits/39412/https://www.exploit-db.com/exploits/39515/
2016-02-13
Published