Novell ZENworks Asset Management File Upload Traversal

2011-05-2700:00:00

SAINT Corporation

download.saintcorporation.com

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.903 High

EPSS

Percentile

98.5%

JSON

Added: 05/27/2011
CVE: CVE-2010-4229
BID: 47295
OSVDB: 71872

Background

Novell ZENworks is a resource management solution consisting of a management server and management agents.

Problem

The Asset Management module (ZAM) of ZENworks version 10.3 prior to 10.3.2 and version 11 fail to validate the name of uploaded files. An attacker may exploit this behavior to upload an executable Java file while traversing the directory structure, such that the uploaded file will be executed by the server.

Resolution

Upgrade to ZENworks 10.3.2 or later.

References

<http://www.novell.com/support/viewContent.do?externalId=7007841>
<http://zerodayinitiative.com/advisories/ZDI-11-118/>

Limitations

This exploit has been tested against Novell ZENworks Configuration Management 10.3 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Microsoft Windows Server 2008 SP2 English (DEP OptOut). The exploit may not execute immediately. It may take 15 seconds or more before the payload is executed. This exploit creates a remote shell web application named ‘exploit’ on the webserver. This application remains after the connection is closed and must be manually removed.