Can upload webshell via JSP pages with iManager cert server snapins which can be used to trigger system calls (CVE-2016-5750)

  • 7017807
  • 04-Jul-2016
  • 29-Aug-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Administration Console
CVE-2016-5750

Situation

The iManager certificate server snapins allow an administrator create user certificates. However, due to a vulnerability in these snapins, a rogue administrator could use this approach to upload jsp files which are then interpreted by the iManager into allowing the execution of system calls. This rogue administrator could use it to add a new local administration account and login via remote desktop for example.

To execute

- setup a HTTP proxy server that can intercept and replay requests, or enable Fiddler on browser that can also capture and replay requests
- login to iManager and select the NetIQ Certificate Access -> User Certificates option
- create a new user certificate and select the import (as opposed to custom/standard) option
- select the type CERT and browse to upload a HTML file (eg. test.html) with some javascript you want to execute
- before clicking the OK button to upload, make sure that your upload request is being intercepted; then upload the file
- in the very next field displayed, select the option to cancel the certificate creation process
- Replay the same upload request again - If the process is canceled and the file is uploaded again, it will be copied to a temporally folder and will not be deleted immediately because a plugin error happens
- from the browser still logged into iManager, access the uploaded file from /nps/tempFiles/test.html

The uploaded HTML file containing javascript, or JSP file with system calls (if uploaded) will be interpreted by the browser.

Resolution

Apply 4.2.2 for NAM 4.2 platform; or apply 4.1.2 Hot Fix 1 for NAM 4.1 platform.