Vulnerabilities > CVE-2016-1524 - Unspecified vulnerability in Netgear Prosafe Network Management Software 300 1.5.0.11

CVSS 8.3 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

low complexity

netgear

exploit available

metasploit

NVD

Published: 2016-02-13

Updated: 2018-10-09

Summary

Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-1.0/external/flash/fileUpload.do to upload a JSP file, and then accessing it via a direct request for a /null URI. <a href="http://cwe.mitre.org/data/definitions/434.html">CWE-434: Unrestricted Upload of File with Dangerous Type</a>

Vulnerable Configurations

Part	Description	Count
Application	Netgear Netgear Prosafe Network Management Software 300 1.5.0.11	1

Exploit-Db

description	NETGEAR ProSafe Network Management System NMS300 - Multiple Vulnerabilities. CVE-2016-1524,CVE-2016-1525. Webapps exploit for hardware platform
file	exploits/hardware/webapps/39412.txt
id	EDB-ID:39412
last seen	2016-02-05
modified	2016-02-04
platform	hardware
port
published	2016-02-04
reporter	Pedro Ribeiro
source	https://www.exploit-db.com/download/39412/
title	NETGEAR ProSafe Network Management System NMS300 - Multiple Vulnerabilities
type	webapps

Metasploit

description	Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems. The application has a file download vulnerability that can be exploited by an authenticated remote attacker to download any file in the system. This module has been tested with versions 1.5.0.2, 1.4.0.17 and 1.1.0.13.
id	MSF:AUXILIARY/ADMIN/HTTP/NETGEAR_AUTH_DOWNLOAD
last seen	2020-05-31
modified	2018-09-15
published	2016-02-03
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1524 https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt https://seclists.org/fulldisclosure/2016/Feb/30
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/netgear_auth_download.rb
title	NETGEAR ProSafe Network Management System 300 Authenticated File Download

Packetstorm

data source	https://packetstormsecurity.com/files/download/135618/netgear_nms_rce.txt
id	PACKETSTORM:135618
last seen	2016-12-05
published	2016-02-07
reporter	Pedro Ribeiro
source	https://packetstormsecurity.com/files/135618/Netgear-Pro-NMS-300-Code-Execution-File-Download.html
title	Netgear Pro NMS 300 Code Execution / File Download

The Hacker News

id	THN:E0863B17DEEAD331430C9E081425147F
last seen	2018-01-27
modified	2016-02-05
published	2016-02-05
reporter	Rakesh Krishnan
source	https://thehackernews.com/2016/02/network-management-system.html
title	Critical Flaws Found in NETGEAR Network Management System

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Packetstorm

The Hacker News

References