ProSAFE NMS300 Security Vulnerability exploitation Guide

ProSAFE NMS300 Security Vulnerability exploitation Guide

A security researcher has released Code stating that two critical security vulnerabilities are available in the Netgear ProSAFE NMS300 network management system.

Are you using the Netgear ProSAFE NMS300 Management System? If the answer is yes, you may have to worry about it-because Pefro Ribeiro, a security researcher, has discovered two serious security vulnerabilities on this network device.

The Netgear ProSAFE NMS300 management system allows administrators to monitor and manage the network system on a user-friendly Web interface.

The security vulnerability that affects the device (not limited to uploading any high-risk file type) is authenticated as a CVE-2016-1524, which can be used by remote, unauthorized attackers to upload arbitrary files to the system.

Once the file is uploaded, the server root directory URL is obtained as follows:

Http :// : 8080/null <File Name>

In addition, it can be executed using the SYSTEM permission.

This remote code execution vulnerability scored 8.3 in CVSS. attackers can send a specially crafted POST request to one of the two small Java servlet service programs installed by default in NMS300 to exploit the vulnerability.

"By sending a specially crafted POST request to the servlet, attackers can successfully upload arbitrary files and use the http :// : 8080/null <File Name>. The NMS300 server will run it with the SYSTEM permission ." According to the report issued by Carnegie Mellon University CERT (address https://www.kb.cert.org/vuls/id/777024 ).

The second vulnerability (improper restriction on the name of a restricted directory ('path traversal ') was included as a CVE-2016-1525. This vulnerability also exists in Netgea ProSAFE NMS300, which is a directory traversal mechanism that allows authenticated attackers to download arbitrary files from the device.

"Authenticated attackers can send http :// : 8080/data/config/image. do? Method = add sends a specially crafted POST request to modify its realName parameter, so that any local file is loaded from the server host to a predictable location in the Web service. The file can then be accessed through http :// : 8080/data/config/image. do? Method = export & imageId = Download In the digital form, each time a file is uploaded, its count will be increased by 1. "This report adds.

As early as last December, security expert Ribeiro reported the Netgear vulnerability through CERT/CC, but the vulnerability still exists in the system.

Riberio also released proof of concept code for the vulnerability, you can click here to download the two Metasploit module (http://seclists.org/fulldisclosure/2016/Feb/30 ).

We recommend that you isolate the Web management interface from the Internet while waiting for repair.