Novell ZENworks Mobile Management DUSAP.php Language Parameter Vulnerability

2013-07-18T00:00:00
ID SAINT:6E74A49D0E0E9CB2E118725593A7F6D8
Type saint
Reporter SAINT Corporation
Modified 2013-07-18T00:00:00

Description

Added: 07/18/2013
CVE: CVE-2013-1082
BID: 60179
OSVDB: 91118

Background

ZENworks Mobile Management (ZMM) offers centralized management tools that are useful for deploying new mobile devices in the workforce, whether those devices are company-issued or privately owned. ZMM ensures that users have the right credentials and access levels for company e-mail, calendar and contacts, as well as the right applications and files for each device. ZMM can also track device usage and the applications that users download onto their devices.

Problem

Novell ZMM 2.7.0 and 2.6.1, and probably earlier versions, are vulnerable to local file inclusion via a directory traversal style attack which could allow a remote unauthenticated attacker to execute arbitrary commands or code. The issue is due to the **DUSAP.php** script not properly sanitizing user input supplied to the language parameter, thereby allowing an attacker to include a file from the targeted host that could contain arbitrary commands or code that will be executed by the vulnerable script. In addition, this flaw could be used to disclose the contents of any file on the system accessible by the web server via **require_once()**.

Resolution

Upgrade to Novell ZMM 2.7.1 when available.

References

<http://www.novell.com/support/kb/doc.php?id=7011896>
<http://www.zerodayinitiative.com/advisories/ZDI-13-088/>

Limitations

This exploit was tested against Novell ZENworks Mobile Management 2.6.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).

The Perl module **MIME::Base64** is required to run the exploit.

Platforms

Windows