lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20110627124600.7ba4af91.aluigi@autistici.org>
Date: Mon, 27 Jun 2011 12:46:00 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Upload directory traversal in Novell ZenWorks Handheld Management
 7.0.2


#######################################################################

                             Luigi Auriemma

Application:  Novell ZenWorks Handheld Management
              http://www.novell.com/products/zenworks/handhelds/
Versions:     <= 7.0.2.61213
Platforms:    Windows, Linux, NetWare
Bug:          upload directory traversal
Exploitation: remote, versus server
Date:         27 Jun 2011 (found 25 Apr 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From vendor's website:
"Novell ZENworks Handheld Management helps you to standardize, deploy,
and manage software and device configurations across your entire
organization."


#######################################################################

======
2) Bug
======


ZfHSrvr.exe is a service listening on port 2398.

The sub-opcode 0x06 of opcode 0x01 calls the ReceiveAppMessage function
in Common.dll that creates a file in the MQueue folder of the service
having the name composed by messageID plus the ".msg" extension.

Through the usage of the byte 0x00 at the end of messageID it's
possible to avoid the appending of the extension and creating the file
outside the MQueue folder via directory traversal.

The following is the format of the opcode 0x06 (offset 0x34 of the
proof-of-concept):
  1   isCompressed
  ?   messageID (C:\Program Files\Novell\ZfH\MQueue\filename.msg)
  1   priority
  4   totalMessageSize
  4   appID
  ?   part of file's content
  1   isDeleted (if != 0 reads some chunks)

Notes about the proof-of-concept:
The 32bit value at offset 0x3 is a number between 0 and 0x10, in case
of doubts it can be easily scanned.
While the string at offset 0x12 is the name/ID of the server and I have
set it to "" so that it can be modified accordingly to the test server
(the ID is 14 bytes long and I have left 16 bytes free to edit).

This string is the InstallationID field located in the "Machines" table
of the ServerData.mdb database and it's a time related field.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/zfhsrvr_1.dat

  nc SERVER 2398 < zfhsrvr_1.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ