SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


NetGain Enterprise Manager Command Injection Vulnerability (Jan 19, 2018)



Description


NetGain Enterprise Manager is a software platform providing comprehensive IT infrastructure monitoring and management that scales with rapid IT growth. It allows users to collect and view availability in real time and historical statistics directly from web browser.

A remote code execution vulnerability exists on NetGain Enterprise Manager due to the lack of check on the input parameters on the applet org.apache.jsp.u.jsp.tools.exec_jsp, which allows an attacker to inject arbitrary commands and have them executed under the privilege of the web server.

The web based administrative interface is implemented by J2EE, which hosts on HTTP service by default on port 8081. The vulnerable code is located at _jspService function in org.apache.jsp.u.jsp.tools.exec_jsp servlet. This servlet could be mapped to the uri /u/jsp/tools/exec.jsp.

As is shown above, Inside the _jspService function, the code only checks if the "command" parameter from the POST request starts with "cmd /c ping" or "ping -c 5". The characters such as ";" or "|" can be brought to the "command" variable , and being executed as a string in Runtime.getRuntime().exec(). An attacker could pass the command parameter such as "ping -c 5;[malicious command]" to exploit this vulnerability.

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13161: NetGain Systems Enterprise Manager Remote Command Execution



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.11 | S2MSW02