exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Novell ZenWorks Configuration Management 11.3.1 Code Execution / Traversal

Novell ZenWorks Configuration Management 11.3.1 Code Execution / Traversal
Posted Apr 7, 2015
Authored by Pedro Ribeiro

Novell ZenWorks Configuration Management version 11.3.1 suffers from an unrestricted file upload vulnerability that can be abused for remote code execution and also suffers from a directory traversal vulnerability.

tags | exploit, remote, code execution, file inclusion, file upload
advisories | CVE-2015-0779
SHA-256 | 2e1385af22ffe68f64c61147063cf39a03915826ed8417041c6bae636ef665e5

Novell ZenWorks Configuration Management 11.3.1 Code Execution / Traversal

Change Mirror Download
>> Remote code execution in Novell ZENworks Configuration Management 11.3.1
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 07/04/2015 / Last updated: 07/04/2015

>> Background on the affected product:
"Automate and accelerate your Windows 7 migration
Microsoft estimates that it can take more than 20 hours to migrate a
single machine to Windows 7. Novell ZENworks Configuration Management
is ready to dramatically accelerate and automate every aspect of your
Windows 7 migration efforts.

Boost user productivity
Use Novell ZENworks Configuration Management to make sure users always
have access to the resources they need regardless of where they work
or what devices they use.

Eliminate IT effort
Automatically enforce policies and dynamically manage resources with
identity-based management of users as well as devices.

Expand your freedom to choose
Manage the lifecycles of all your current and future assets, with full
support for Windows and Linux systems, Novell eDirectory, Active
Directory, and more.

Simplify deployment with virtual appliances
Slash deployment times with a convenient virtual appliance deployment option.

Enjoy a truly unified solution
Centralize the management of all your devices into a single, unified
and easy-to-use web-based ZENworks console—called ZENworks Control
Center."

This vulnerability is present in ZENworks Configuration Management
(ZCM) which is part of the ZENworks Suite.
A blast from the past? This is a similar vulnerability to ZDI-10-078 /
OSVDB-63412, but it abuses a different parameter of the same servlet.
However this time Novell:
- Did not bother issuing a security advisory to their customers.
- Did not credit me even though I did responsible disclosure.
- Refused to provide a CVE number for months.
- Did not update their ZENworks Suite Trial software with the fix (you
can download it now from their site, install and test the PoC /
Metasploit module).
- Does not list the fix in the ZCM 11.3.2 update information
(https://www.novell.com/support/kb/doc.php?id=7015776).


>> Technical details:
Vulnerability: Remote code execution via file upload and directory traversal
CVE-2015-0779
Constraints: none; no authentication or any other information needed
Affected versions: ZENworks Configuration Management 11.3.1 and below

POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war
<WAR file payload in the body>

The WAR file will be automatically deployed to the server (on certain
Windows and Linux installations the path can be "../webapps/"). A
Metasploit module that exploits this vulnerability has been released.


>> Fix:
Upgrade to version ZENworks Configuration Management 11.3.2.


[1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt
[2]: https://github.com/rapid7/metasploit-framework/pull/5096
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close