CVE-2016-6600
published 2017-01-23CVE-2016-6600: Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute…
PriorityP182critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
90.45%
99.8th percentile
Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | webnms_framework | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /servlets/FileUploadServlet containing a 'fileName' parameter with directory traversal sequences (e.g., '../') — especially targeting '../jsp/Login.jsp' or '../jsp/WebStart*.jsp'. ↗
- →Detect unauthenticated GET requests to /servlets/FetchFile with a 'fileName' parameter containing directory traversal sequences ('../') to identify exploitation of CVE-2016-6601 alongside CVE-2016-6600. ↗
- →Alert on HTTP requests containing the 'UserName' header set to privileged accounts (e.g., 'root') targeting /servlets/GetChallengeServlet, indicating user impersonation attempts (CVE-2016-6603). ↗
- →Monitor for JSP file creation or modification in the WebNMS '../jsp/' directory, particularly files named 'Login.jsp' or matching 'WebStart*.jsp', which are the only filenames executable without authentication. ↗
- →Flag unauthenticated retrieval of 'conf/securitydbData.xml' via FetchFile servlet, which exposes obfuscated credentials for all WebNMS user accounts. ↗
- ·Only text files can be uploaded via FileUploadServlet; binary files will be mangled. Exploit payloads must be text-based (e.g., JSP). Detection rules should not assume binary file uploads as part of this attack chain. ↗
- ·The directory traversal upload only achieves unauthenticated code execution when files are dropped into '../jsp/' AND named exactly 'Login.jsp' or matching 'WebStartXXX.jsp'. Uploads to other paths or with other names do not directly yield unauthenticated RCE. ↗
- ·The FetchFile directory traversal (CVE-2016-6601) only correctly downloads text files; binary files are mangled. Credential theft via securitydbData.xml is feasible since it is an XML (text) file. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
exploitdb·2016-08-10·CVSS 9.8
CVE-2016-6603 [CRITICAL] WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in WebNMS Framework Server 5.2 and 5.2 SP1
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 04/07/2016 / Last updated: 08/08/2016
>> Background on the affected product:
"WebNMS is an industry-leading framework for building network management applications. With over 25,000 deployments worldwide and in every Tier 1 Carrier, network equipment providers and service providers can customize, extend and rebrand WebNMS as a comprehensive Element Management System (EMS) or Network Management System (NMS).
NOC Operators, Architects and Developers can customize the functional modules to fit their domain and network. Functional modules include Fault Correlation, Pe
Metasploit
WebNMS Framework Server Arbitrary File Upload
metasploit
WebNMS Framework Server Arbitrary File Upload
WebNMS Framework Server Arbitrary File Upload
This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to upload text files by using a directory traversal attack on the FileUploadServlet servlet. A JSP file can be uploaded that then drops and executes a malicious payload, achieving code execution under the user which the WebNMS server is running. This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.htmlhttp://seclists.org/fulldisclosure/2016/Aug/54http://www.securityfocus.com/archive/1/539159/100/0/threadedhttp://www.securityfocus.com/bid/92402https://blogs.securiteam.com/index.php/archives/2712https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-themhttps://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txthttps://www.exploit-db.com/exploits/40229/http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.htmlhttp://seclists.org/fulldisclosure/2016/Aug/54http://www.securityfocus.com/archive/1/539159/100/0/threadedhttp://www.securityfocus.com/bid/92402https://blogs.securiteam.com/index.php/archives/2712https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-themhttps://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txthttps://www.exploit-db.com/exploits/40229/
2017-01-23
Published