CVE-2016-6602
📋 TL;DR
CVE-2016-6602 is a vulnerability in ZOHO WebNMS Framework where passwords are stored using weak obfuscation, allowing attackers who can access the securitydbData.xml file to easily recover cleartext passwords. This affects WebNMS Framework 5.2 and 5.2 SP1 installations. When combined with CVE-2016-6601 (directory traversal), this can be exploited remotely to gain administrative access.
💻 Affected Systems
- ZOHO WebNMS Framework
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise: attackers obtain administrative credentials, gain complete control over the WebNMS system, and potentially pivot to other systems using those credentials.
Likely Case
Credential theft leading to unauthorized administrative access to the WebNMS management interface, allowing configuration changes, data access, and further attacks.
If Mitigated
Limited impact with proper network segmentation, file access controls, and monitoring preventing access to the vulnerable configuration file.
🎯 Exploit Status
Metasploit module available (webnms_cred_disclosure). Exploitation is straightforward once the securitydbData.xml file is accessed, often via CVE-2016-6601 directory traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 5.2 SP1
Vendor Advisory: https://www.zohocorp.com/security/webnms.html
Restart Required: Yes
Instructions:
1. Upgrade to WebNMS Framework version 5.2 SP2 or later. 2. Apply the patch from ZOHO. 3. Restart the WebNMS service. 4. Change all passwords stored in the system.
🔧 Temporary Workarounds
Restrict access to WEB-INF directory
linuxApply strict file permissions to prevent unauthorized access to the securitydbData.xml file.
chmod 600 /path/to/WEB-INF/conf/securitydbData.xml
chown root:root /path/to/WEB-INF/conf/securitydbData.xml
Network segmentation and access controls
allIsolate WebNMS systems and restrict access to management interfaces.
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the WebNMS interface
- Monitor access to WEB-INF/conf/securitydbData.xml and alert on any unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if WebNMS version is 5.2 or 5.2 SP1, and examine WEB-INF/conf/securitydbData.xml for weakly obfuscated password strings.Check Version:
Check the WebNMS documentation or interface for version information, or examine the installation directory for version files.Verify Fix Applied:
Verify WebNMS version is 5.2 SP2 or later, and confirm securitydbData.xml uses stronger encryption or hashing.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to WEB-INF/conf/securitydbData.xml
- Multiple failed login attempts followed by successful login with stolen credentials
Network Indicators:
- Unusual traffic patterns to/from the WebNMS server
- Directory traversal attempts (../ sequences) in HTTP requests
SIEM Query:
source="webnms" AND (url="*WEB-INF*" OR url="*securitydbData.xml*")🔗 References
- http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.html
- http://seclists.org/fulldisclosure/2016/Aug/54
- http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosure
- http://www.securityfocus.com/archive/1/539159/100/0/threaded
- http://www.securityfocus.com/bid/92402
- https://blogs.securiteam.com/index.php/archives/2712
- https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-them
- https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt
- https://www.exploit-db.com/exploits/40229/
- http://packetstormsecurity.com/files/138244/WebNMS-Framework-5.2-SP1-Traversal-Weak-Obfuscation-User-Impersonation.html
- http://seclists.org/fulldisclosure/2016/Aug/54
- http://www.rapid7.com/db/modules/auxiliary/admin/http/webnms_cred_disclosure
- http://www.securityfocus.com/archive/1/539159/100/0/threaded
- http://www.securityfocus.com/bid/92402
- https://blogs.securiteam.com/index.php/archives/2712
- https://forums.webnms.com/topic/recent-vulnerabilities-in-webnms-and-how-to-protect-the-server-against-them
- https://github.com/pedrib/PoC/blob/master/advisories/webnms-5.2-sp1-pwn.txt
- https://www.exploit-db.com/exploits/40229/
