Novell File Reporter FSFUI File Upload

2012-12-1700:00:00

SAINT Corporation

my.saintcorporation.com

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.756 High

EPSS

Percentile

98.2%

JSON

Added: 12/17/2012
CVE: CVE-2012-4959
BID: 56579
OSVDB: 87573

Background

Novell File Reporter is software that allows network administrators to identify files stored on the network and generates reports regarding the size of individual files, file type, when files were last accessed, and where duplicates exist. The Novell File Reporter communicates over HTTPS on port 3037/TCP.

Problem

Novell File Reporter contains an arbitrary file upload vulnerability which could allow a remote unauthenticated user to upload and execute arbitrary files with SYSTEM privileges. The specific vulnerability is in the read_file_sub_40A190() function of NFRAgent.exe when handling requests on the URL /FSF/CMD for records with NAME FSFUI, UICMD 130, and tag FILE.

Resolution

Apply an update when it becomes available. Allow only trusted networks and hosts to communicate with the Novell File Reporter agent.

References

<http://www.kb.cert.org/vuls/id/273371>

Limitations

This exploit was tested against Novell File Reporter 1.0.2.1 on Microsoft Windows Server 2003 SP2 English (DEP OptOut).

The IO-Socket-SSL and Digest:MD5 PERL modules must be installed on the scanning host. The IO-Socket-SSL module is available from <http://www.cpan.org/modules/by-module/IO/>. The Digest::MD5 module is available from <http://cpan.org/modules/by-module/MD5/>.