Vulnerability Details : CVE-2016-6601
Public exploit exists!
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile.
Vulnerability category: Directory traversal
Exploit prediction scoring system (EPSS) score for CVE-2016-6601
97.49%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2016-6601
-
WebNMS Framework Server Credential Disclosure
Disclosure Date: 2016-07-04First seen: 2020-04-26auxiliary/admin/http/webnms_cred_disclosureThis module abuses two vulnerabilities in WebNMS Framework Server 5.2 to extract all user credentials. The first vulnerability is an unauthenticated file download in the FetchFile servlet, which is used to download the file containing the user credentials. Th -
WebNMS Framework Server Arbitrary Text File Download
Disclosure Date: 2016-07-04First seen: 2020-04-26auxiliary/admin/http/webnms_file_downloadThis module abuses a vulnerability in WebNMS Framework Server 5.2 that allows an unauthenticated user to download files off the file system by using a directory traversal attack on the FetchFile servlet. Note that only text files can be downloaded properly, a
CVSS scores for CVE-2016-6601
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-6601
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-6601
-
http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_file_download
WebNMS Framework Server Arbitrary Text File DownloadThird Party Advisory
-
http://www.securityfocus.com/archive/1/539159/100/0/threaded
SecurityFocus
-
http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosure
WebNMS Framework Server Credential DisclosureThird Party Advisory
-
https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-them
Recent Vulnerabilities in WebNMS and how to protect the server against them - WebNMS Developer Forums
-
http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.html
WebNMS Framework 5.2 SP1 Traversal / Weak Obfuscation / User Impersonation ≈ Packet StormExploit;Third Party Advisory
-
http://www.securityfocus.com/bid/92402
WebNMS Framework Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
http://seclists.org/fulldisclosure/2016/Aug/54
Full Disclosure: [CVE-2016-6600/1/2/3]: Multiple vulnerabilities (RCE, file download, etc) in WebNMS Framework 5.2 / 5.2 SP1Exploit;Mailing List
-
https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt
PoC/webnms-5.2-sp1-pwn.txt at master · pedrib/PoC · GitHubExploit
-
https://blogs.securiteam.com/index.php/archives/2712
SSD Advisory - WebNMS Framework Server Multiple Vulnerabilities - SSD Secure DisclosureExploit;Technical Description;Third Party Advisory
-
https://www.exploit-db.com/exploits/40229/
WebNMS Framework Server 5.2/5.2 SP1 - Multiple VulnerabilitiesExploit;Third Party Advisory
Products affected by CVE-2016-6601
- cpe:2.3:a:zohocorp:webnms_framework:5.2:sp1:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:webnms_framework:5.2:*:*:*:*:*:*:*