CVE-2016-6602
published 2017-01-23CVE-2016-6602: ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
54.79%
98.9th percentile
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | webnms_framework | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to /servlets/FetchFile with 'fileName=conf/securitydbData.xml' in the query string, indicating credential file exfiltration chained with CVE-2016-6601. ↗
- →Detect directory traversal patterns (e.g., '../') in the 'fileName' parameter of requests to /servlets/FetchFile and /servlets/FileUploadServlet. ↗
- →Detect HTTP requests to /servlets/GetChallengeServlet containing a 'UserName' header, which is the mechanism for unauthenticated user impersonation (CVE-2016-6603, often chained with CVE-2016-6602). ↗
- →Monitor for access to securitydbData.xml on disk or via web requests; passwords in this file are weakly obfuscated and can be trivially reversed to cleartext. ↗
- ·The FetchFile directory traversal (CVE-2016-6601) only correctly downloads text files; binary files are mangled, limiting exfiltration to text-based files like securitydbData.xml. ↗
- ·CVE-2016-6602 (weak password obfuscation) is most dangerous when combined with CVE-2016-6601 (FetchFile traversal), enabling fully unauthenticated remote credential disclosure. ↗
- ·The Metasploit auxiliary module for credential disclosure targets both Windows and Linux deployments of WebNMS Framework Server 5.2 and 5.2 SP1. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
exploitdb·2016-08-10·CVSS 9.8
CVE-2016-6603 [CRITICAL] WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
WebNMS Framework Server 5.2/5.2 SP1 - Multiple Vulnerabilities
---
>> Multiple vulnerabilities in WebNMS Framework Server 5.2 and 5.2 SP1
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 04/07/2016 / Last updated: 08/08/2016
>> Background on the affected product:
"WebNMS is an industry-leading framework for building network management applications. With over 25,000 deployments worldwide and in every Tier 1 Carrier, network equipment providers and service providers can customize, extend and rebrand WebNMS as a comprehensive Element Management System (EMS) or Network Management System (NMS).
NOC Operators, Architects and Developers can customize the functional modules to fit their domain and network. Functional modules include Fault Correlation, Pe
Metasploit
WebNMS Framework Server Credential Disclosure
metasploit
WebNMS Framework Server Credential Disclosure
WebNMS Framework Server Credential Disclosure
This module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract all user credentials. The first vulnerability is an unauthenticated file download in the FetchFile servlet, which is used to download the file containing the user credentials. The second vulnerability is that the passwords in the file are obfuscated with a very weak algorithm which can be easily reversed. This module has been tested with WebNMS Framework Server 5.2 and 5.2 SP1 on Windows and Linux.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.htmlhttp://seclists.org/fulldisclosure/2016/Aug/54http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosurehttp://www.securityfocus.com/archive/1/539159/100/0/threadedhttp://www.securityfocus.com/bid/92402https://blogs.securiteam.com/index.php/archives/2712https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-themhttps://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txthttps://www.exploit-db.com/exploits/40229/http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.htmlhttp://seclists.org/fulldisclosure/2016/Aug/54http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosurehttp://www.securityfocus.com/archive/1/539159/100/0/threadedhttp://www.securityfocus.com/bid/92402https://blogs.securiteam.com/index.php/archives/2712https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-themhttps://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txthttps://www.exploit-db.com/exploits/40229/
2017-01-23
Published