NETGEAR ProSAFE NMS300 security exploit guide-vulnerability warning-the black bar safety net

ID MYHACK58:62201671757
Type myhack58
Reporter 佚名
Modified 2016-02-06T00:00:00



> A security researcher has released code that Netgear ProSAFE NMS300 network management system there are two entries available of serious security vulnerabilities.

If you are using the Netgear ProSAFE NMS300 management system? If the answer is Yes, then you probably want to worry about--because the security researcher Pefro Ribeiro has been in the network device among the found two serious security vulnerabilities.

Netgear ProSAFE NMS300 management system allows administrators to use a user-friendly Web interface for network systems monitoring and management.

The impact of the device's security vulnerabilities are not limited to upload any high-risk file types to be certified as CVE-2 0 1 6-1 5 2 4, which can be a remote, unauthorized attacker used to the system to upload any file.

Once the file upload is complete, which will be obtained as shown in the server root directory URL:

> http://<IP>:8 0 8 0/null<file name>

In addition, it may exploit SYSTEM privileges to be executed.

This remote code execution vulnerability in CVSS obtained at the 8. 3 score, the attacker can be to the NMS300 which the default install of both Java servlet servlet to send one a section through a specially crafted POST request to take advantage of it.

> “Through to the servlet to send a section of a specially crafted POST request, an attacker can successfully upload any file, and through the NMS300 server root directory using the http://<IP>:8 0 8 0/null<file name>access. The NMS300 server with SYSTEM permissions to be run.” Carnegie Mellon University CERT release of this report that address https://www. kb. cert. org/vuls/id/7 7 7 0 2 4 in.

! !

The second vulnerability, the restricted directory‘path traversal’of the name to make improper limit is indexed as CVE-2 0 1 6-1 5 2 5 It. This item also exists in the Netgea ProSAFE NMS300 vulnerability in belonging to a directory traversal mechanism that allows an authenticated attacker from the device to download any files.

> “An authenticated attacker is able to http://<IP>:8 0 8 0/data/config/image. do? method=add sending a specially crafted POST request to modify its realName parameter, so from the server host will be any local file is loaded to the Web service in a predictable location. The file can then be http://<IP>:8 0 8 0/data/config/image. do? method=export&imageId=<ID>to download, where<ID>is in digital form, each time a file is uploaded its count will be incremented by 1.” This report added.

Security experts Ribeiro early in the last 1 2 months has been through the CERT/CC reported this Netgear vulnerability, but the problem as of now is still present in the system.

Riberio simultaneously for the vulnerability is released proof of concept code, you can click here to download the two Metasploit modules in.

Waiting for the repair process, it is recommended everyone will be the Web Management Interface with the Internet to isolate.