CVE-2016-6601
published 2017-01-23CVE-2016-6601: Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files…
PriorityP275high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
97.36%
99.9th percentile
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | webnms_framework | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal exploitation of the FetchFile servlet by monitoring GET requests to /servlets/FetchFile with a 'fileName' parameter containing '../' sequences. ↗
- →Alert on requests to /servlets/FetchFile targeting conf/securitydbData.xml, which exposes all obfuscated user credentials. ↗
- →Detect user impersonation attempts by monitoring HTTP requests to /servlets/GetChallengeServlet that include a 'UserName' HTTP header, especially with value 'root'. ↗
- →Only text files can be downloaded properly via the FetchFile traversal; binary files will be mangled. Focus detection on text-based sensitive file paths (e.g., /etc/shadow, /etc/passwd, securitydbData.xml). ↗
- →On Windows targets, traversal via FetchFile is limited to files on the same drive as the WebNMS installation; adjust detection scope accordingly. ↗
- ·The FetchFile directory traversal only correctly downloads text files; binary files are mangled in transit, limiting the scope of exfiltrable data but not eliminating the risk for text-based sensitive files. ↗
- ·CVE-2016-6601 (FetchFile traversal) can be chained with CVE-2016-6602 (weak password obfuscation) to achieve full unauthenticated credential disclosure, and further chained with CVE-2016-6600 (FileUploadServlet RCE) for complete remote compromise. ↗
- ·The UserName HTTP header impersonation (CVE-2016-6603) requires no prior credentials and returns a valid authenticated session cookie, making it a trivial privilege escalation step after credential discovery via CVE-2016-6601. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rrpj-43vg-95p8: ZOHO WebNMS Framework 5
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2016-6602 [HIGH] CWE-327 GHSA-rrpj-43vg-95p8: ZOHO WebNMS Framework 5
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit.
GHSA
GHSA-xh3h-35f7-mgq7: Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5
ghsa_unreviewed·2022-05-14
CVE-2016-6601 [HIGH] CWE-22 GHSA-xh3h-35f7-mgq7: Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
No detection rules found.
Exploit-DB
WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
exploitdb·2016-08-10·CVSS 9.8
CVE-2016-6603 [CRITICAL] WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in WebNMS Framework Server 5.2 and 5.2 SP1
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 04/07/2016 / Last updated: 08/08/2016
>> Background on the affected product:
"WebNMS is an industry-leading framework for building network management applications. With over 25,000 deployments worldwide and in every Tier 1 Carrier, network equipment providers and service providers can customize, extend and rebrand WebNMS as a comprehensive Element Management System (EMS) or Network Management System (NMS).
NOC Operators, Architects and Developers can customize the functional modules to fit their domain and network. Functional modules include Fault Correlation, Pe
Metasploit
WebNMS Framework Server Arbitrary Text File Download
metasploit
WebNMS Framework Server Arbitrary Text File Download
WebNMS Framework Server Arbitrary Text File Download
This module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to download files off the file system by using a directory traversal attack on the FetchFile servlet. Note that only text files can be downloaded properly, as any binary file will get mangled by the servlet. Also note that for Windows targets you can only download files that are in the same drive as the WebNMS installation. This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.
Nuclei
ZOHO WebNMS Framework <5.2 SP1 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2016-6601 [HIGH] ZOHO WebNMS Framework <5.2 SP1 - Local File Inclusion
ZOHO WebNMS Framework <5.2 SP1 - Local File Inclusion
ZOHO WebNMS Framework before version 5.2 SP1 is vulnerable local file inclusion which allows an attacker to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
Template:
id: CVE-2016-6601
info:
name: ZOHO WebNMS Framework <5.2 SP1 - Local File Inclusion
author: 0x_Akoko
severity: high
description: ZOHO WebNMS Framework before version 5.2 SP1 is vulnerable local file inclusion which allows an attacker to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, remote code execution, or complete compromise of the affected system.
remediation: |
Upgrade
Metasploit
WebNMS Framework Server Credential Disclosure
metasploit
WebNMS Framework Server Credential Disclosure
WebNMS Framework Server Credential Disclosure
This module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract all user credentials. The first vulnerability is an unauthenticated file download in the FetchFile servlet, which is used to download the file containing the user credentials. The second vulnerability is that the passwords in the file are obfuscated with a very weak algorithm which can be easily reversed. This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.
http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.htmlhttp://seclists.org/fulldisclosure/2016/Aug/54http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosurehttp://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_file_downloadhttp://www.securityfocus.com/archive/1/539159/100/0/threadedhttp://www.securityfocus.com/bid/92402https://blogs.securiteam.com/index.php/archives/2712https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-themhttps://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txthttps://www.exploit-db.com/exploits/40229/http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.htmlhttp://seclists.org/fulldisclosure/2016/Aug/54http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosurehttp://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_file_downloadhttp://www.securityfocus.com/archive/1/539159/100/0/threadedhttp://www.securityfocus.com/bid/92402https://blogs.securiteam.com/index.php/archives/2712https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-themhttps://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txthttps://www.exploit-db.com/exploits/40229/
2017-01-23
Published