No patches for code exec holes in Netgear management box

Two dangerous un-patched remote code execution vulnerabilities that allow access to God-mode system privileges have been reported in Netgear's ProSafe Network Management 300 management software.

The file upload vulnerability (CVE-2016-1524) and restricted directory traversal (CVE-2016-1525) allow unauthenticated attackers to upload arbitrary files to the server's root web directory and access any file on servers.

Carnegie Mellon University CERT analyst Joel Land says there is no known fix and recommends users block untrusted sources via firewall rules.

"By sending a specially crafted POST request to the servlets, an attacker can upload arbitrary files that will then be accessible from the NMS300 server's root directory as http://<IP>:8080/null<filename> … with system privileges," Land says.

"An authenticated attacker can manipulate the realName parameter of a crafted POST request sent to http://<IP>:8080/data/config/image.do?method=add to load an arbitrary local file from the server host to a predictable location in the web service. The file can then be downloaded from http://<IP>:8080/data/config/image.do?method=export&imageId=<ID>, where <ID> is a count that increments by one every time a file is uploaded in this manner."

Agile Information Security researcher Pedro Ribeiro discovered the flaws and has released two Metasploit modules to make life easier for attackers penetration testers.

At the time of writing, Netgear appears not to have developed or distributed a patch, as the most recent update for the product is dated January 11th, 2016. ®