CVE-2010-5324
published 2015-06-07CVE-2010-5324: Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10.3 allows…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
72.01%
99.4th percentile
Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10.3 allows remote attackers to execute arbitrary code via a zenworks-fileupload request with a crafted directory name in the type parameter, in conjunction with a WAR filename in the filename parameter and WAR content in the POST data, a different vulnerability than CVE-2010-5323.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →After the upload, watch for a secondary GET request to a short random-named path ending in .jsp (e.g., /<4-36 char alphanumeric>/<8-16 char alphanumeric>.jsp), which is the payload trigger step. ↗
- →Look for HTTP responses containing 'Apache-Coyote' server header on ZENworks hosts as a fingerprint for vulnerable targets. ↗
- →The exploit uploads a WAR file outside the TEMP directory via path traversal in the 'filename' parameter of UploadServlet, then triggers execution via a follow-up GET to the deployed JSP — monitor for this two-stage HTTP pattern. ↗
- ·The Metasploit module targets ZENworks Configuration Management 10.2.0 specifically; the NVD entry notes the vulnerability affects ZCM 10 before 10.3, so the traversal path and servlet endpoint may behave differently across minor versions. ↗
- ·The app_base and jsp_name components of the upload URI and trigger URI are randomly generated alphanumeric strings at runtime, so static string matching on those path segments alone is insufficient for detection — focus on the traversal pattern and UploadServlet endpoint instead. ↗
- ·The Linux x86 target is noted as 'should work but untested', so detection coverage should prioritize Windows and Java Universal platforms. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9mwj-265r-f2gr: Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2010-5324 [CRITICAL] CWE-22 GHSA-9mwj-265r-f2gr: Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10
Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10.3 allows remote attackers to execute arbitrary code via a zenworks-fileupload request with a crafted directory name in the type parameter, in conjunction with a WAR filename in the filename parameter and WAR content in the POST data, a different vulnerability than CVE-2010-5323.
GHSA
GHSA-3pg8-3336-w32h: Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2010-5323 [CRITICAL] CWE-22 GHSA-3pg8-3336-w32h: Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10
Directory traversal vulnerability in UploadServlet in the Remote Management component in Novell ZENworks Configuration Management (ZCM) 10 before 10.3 allows remote attackers to execute arbitrary code via a crafted WAR pathname in the filename parameter in conjunction with WAR content in the POST data, a different vulnerability than CVE-2010-5324.
GHSA
GHSA-49r7-w8p8-xgc3: Directory traversal vulnerability in UploadServlet in Novell ZENworks Configuration Management (ZCM) 10 and 11 before 11
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2015-0779 [CRITICAL] CWE-22 GHSA-49r7-w8p8-xgc3: Directory traversal vulnerability in UploadServlet in Novell ZENworks Configuration Management (ZCM) 10 and 11 before 11
Directory traversal vulnerability in UploadServlet in Novell ZENworks Configuration Management (ZCM) 10 and 11 before 11.3.2 allows remote attackers to execute arbitrary code via a crafted directory name in the uid parameter, in conjunction with a WAR filename in the filename parameter and WAR content in the POST data, a different vulnerability than CVE-2010-5323 and CVE-2010-5324.
No detection rules found.
Exploit-DB
Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit)
exploitdb·2010-11-22
CVE-2010-5324 Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit)
Novell ZENworks Configuration Management 10.2.0 - Remote Execution (Metasploit)
---
##
# $Id: zenworks_uploadservlet.rb 11099 2010-11-22 17:53:49Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ZENworks Configuration Management Remote Execution',
'Description' => %q{
This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0.
By exploiting th
Metasploit
Novell ZENworks Configuration Management Remote Execution
metasploit
Novell ZENworks Configuration Management Remote Execution
Novell ZENworks Configuration Management Remote Execution
This module exploits a code execution flaw in Novell ZENworks Configuration Management 10.2.0. By exploiting the UploadServlet, an attacker can upload a malicious file outside of the TEMP directory and then make a secondary request that allows for arbitrary code execution.
No writeups or analysis indexed.
http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.htmlhttp://www.securityfocus.com/bid/39114http://www.zerodayinitiative.com/advisories/ZDI-10-078/https://bugzilla.novell.com/show_bug.cgi?id=578911https://www.novell.com/support/kb/doc.php?id=7005573http://tucanalamigo.blogspot.com/2010/04/pdc-de-zdi-10-078.htmlhttp://www.securityfocus.com/bid/39114http://www.zerodayinitiative.com/advisories/ZDI-10-078/https://bugzilla.novell.com/show_bug.cgi?id=578911https://www.novell.com/support/kb/doc.php?id=7005573
2015-06-07
Published