CVE-2013-1081
published 2013-03-11CVE-2013-1081: Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute…
PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
68.08%
99.2th percentile
Directory traversal vulnerability in MDM.php in Novell ZENworks Mobile Management (ZMM) 2.6.1 and 2.7.0 allows remote attackers to include and execute arbitrary local files via the language parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | zenworks_mobile_management | — | — |
| novell | zenworks_mobile_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to DUSAP.php containing directory traversal sequences in the 'language' GET parameter, specifically patterns traversing into php/temp session files. ↗
- →Look for HTTP requests to DUSAP.php with a 'language' parameter value containing '../../../../' traversal sequences, particularly targeting php/temp/sess_ paths (PHP session file poisoning). ↗
- →Monitor for HEAD requests to /download.php with a PHPSESSID cookie immediately followed by POST requests to DUSAP.php with base64-encoded body data — this is the two-stage session-poisoning upload pattern used by the exploit. ↗
- →Flag HTTP responses from the target containing the string 'ZENworks Mobile Management User Self-Administration Portal' to identify exposed vulnerable instances for prioritized patching/monitoring. ↗
- →Versions matching 2.6.0, 2.6.1, or 2.7.0 are confirmed vulnerable; version fingerprinting via the portal's 'Version' string can identify targets. ↗
- ·The exploit targets Windows installations only; the traversal path uses Windows-style backslash separators (\..\..\php\temp\) and drops a Windows PE executable payload. ↗
- ·The exploit uses an empty User-Agent string during the session-setup HEAD request, which can be used as a detection signal. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell ZENworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)
exploitdb·2013-06-07
CVE-2013-1081 Novell ZENworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)
Novell ZENworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Novell Zenworks Mobile Device Managment Local File Inclusion Vulnerability',
'Description' => %q{
This module attempts to gain remote code execution on a server running
Novell Zenworks Mobile Device Management.
},
'Author' =>
[
'steponequit',
'Andrea Micalizzi (aka rgod)' #zdi report
],
'Platform' => 'win',
'Targets' =>
[
[ 'Novell Zenworks Mobile Device Management on Windows', {} ],
],
'DefaultTarget' => 0,
'References' =>
[
Exploit-DB
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow (Denial of Service) (PoC)
exploitdb·2013-04-12
CVE-2006-6184 Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow (Denial of Service) (PoC)
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow (Denial of Service) (PoC)
---
# Exploit Title: AT-TFTP 2.0 long filename stack based buffer overflow - DOS
# Date: 12.04.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage: http://www.alliedtelesis.com/
# Software Link: http://alliedtelesis.custhelp.com/cgi-bin/alliedtelesis.cfg/php/enduser/std_adp.php?p_faqid=1081&p_created=981539150&p_topview=1
# Version: 2.0
# Tested on: Windows XP SP3
#
# From 1.9 Remote Exec BOF disovered in 2006 by [email protected] to 2.0 Remote DOS BOF 2013 - no lesson learned.
# Two variants:
#
# 1. SEH overwrite but no exception handler trigger (cookie on stack?)
# 2. Read access violation (non-exploitable?)
#
# Still we can crash the server remotely.
#
#!/usr/bin/python
import
Metasploit
Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability
metasploit
Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability
Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability
This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation, remote attackers can both upload and execute code via a directory traversal flaw exposed in the 'language' parameter of a POST call to DUSAP.php.
Metasploit
Novell Zenworks Mobile Device Management Admin Credentials
metasploit
Novell Zenworks Mobile Device Management Admin Credentials
Novell Zenworks Mobile Device Management Admin Credentials
This module attempts to pull the administrator credentials from a vulnerable Novell Zenworks MDM server.
No writeups or analysis indexed.
2013-03-11
Published