KhiZaRix Posted April 8, 2015 Report Share Posted April 8, 2015 >> Remote code execution in Novell ZENworks Configuration Management 11.3.1>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security=================================================================================Disclosure: 07/04/2015 / Last updated: 07/04/2015>> Background on the affected product:"Automate and accelerate your Windows 7 migrationMicrosoft estimates that it can take more than 20 hours to migrate asingle machine to Windows 7. Novell ZENworks Configuration Managementis ready to dramatically accelerate and automate every aspect of yourWindows 7 migration efforts.Boost user productivityUse Novell ZENworks Configuration Management to make sure users alwayshave access to the resources they need regardless of where they workor what devices they use.Eliminate IT effortAutomatically enforce policies and dynamically manage resources withidentity-based management of users as well as devices.Expand your freedom to chooseManage the lifecycles of all your current and future assets, with fullsupport for Windows and Linux systems, Novell eDirectory, ActiveDirectory, and more.Simplify deployment with virtual appliancesSlash deployment times with a convenient virtual appliance deployment option.Enjoy a truly unified solutionCentralize the management of all your devices into a single, unifiedand easy-to-use web-based ZENworks consoleâcalled ZENworks ControlCenter."This vulnerability is present in ZENworks Configuration Management(ZCM) which is part of the ZENworks Suite.A blast from the past? This is a similar vulnerability to ZDI-10-078 /OSVDB-63412, but it abuses a different parameter of the same servlet.However this time Novell:- Did not bother issuing a security advisory to their customers.- Did not credit me even though I did responsible disclosure.- Refused to provide a CVE number for months.- Did not update their ZENworks Suite Trial software with the fix (youcan download it now from their site, install and test the PoC /Metasploit module).- Does not list the fix in the ZCM 11.3.2 update information(https://www.novell.com/support/kb/doc.php?id=7015776).>> Technical details:Vulnerability: Remote code execution via file upload and directory traversalCVE-2015-0779Constraints: none; no authentication or any other information neededAffected versions: ZENworks Configuration Management 11.3.1 and belowPOST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war<WAR file payload in the body>The WAR file will be automatically deployed to the server (on certainWindows and Linux installations the path can be "../webapps/"). AMetasploit module that exploits this vulnerability has been released.>> Fix:Upgrade to version ZENworks Configuration Management 11.3.2.[1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt[2]: https://github.com/rapid7/metasploit-framework/pull/5096Source: http://packetstorm.wowhacker.com/1504-exploits/zenworks-exectraversal.txt Quote Link to comment Share on other sites More sharing options...
.thumb.jpg.29b1f7ae7dd9ad5a11e41a710722ba35.jpg)