Novell ZENworks Mobile Management MDM.php Language Parameter Vulnerability

Added: 06/15/2013
CVE: CVE-2013-1081
BID: 58402
OSVDB: 91119

Background

ZENworks Mobile Management (ZMM) offers centralized management tools that are useful for deploying new mobile devices in the workforce, whether those devices are company-issued or privately owned. ZMM ensures that users have the right credentials and access levels for company e-mail, calendar and contacts, as well as the right applications and files for each device. ZMM can also track device usage and the applications that users download onto their devices.

Problem

Novell ZMM 2.7.1 and 2.6.1, and probably earlier versions, are vulnerable to local file inclusion via a directory traversal style attack which could allow a remote unauthenticated attacker to execute arbitrary commands or code. The issue is due to the **MDM.php** script not properly sanitizing user input supplied to the language parameter, thereby allowing an attacker to include a file from the targeted host that could contain arbitrary commands or code that will be executed by the vulnerable script. In addition, this flaw could be used to disclose the contents of any file on the system accessible by the web server via **require_once()**.

Resolution

Upgrade to Novell ZMM 2.7.1 when available.

References

<http://www.zerodayinitiative.com/advisories/ZDI-13-087/&gt;
<http://www.novell.com/support/kb/doc.php?id=7011895&gt;

Limitations

This exploit has been tested against Novell ZENworks Mobile Management 2.6.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).

The Perl module **MIME::Base64** is required to run the exploit.

Platforms

Windows