CVE-2015-0779
published 2015-06-07CVE-2015-0779: Directory traversal vulnerability in UploadServlet in Novell ZENworks Configuration Management (ZCM) 10 and 11 before 11.3.2 allows remote attackers to execute…
PriorityP274critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
74.52%
99.4th percentile
Directory traversal vulnerability in UploadServlet in Novell ZENworks Configuration Management (ZCM) 10 and 11 before 11.3.2 allows remote attackers to execute arbitrary code via a crafted directory name in the uid parameter, in conjunction with a WAR filename in the filename parameter and WAR content in the POST data, a different vulnerability than CVE-2010-5323 and CVE-2010-5324.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war↗
- →Detect unauthenticated HTTP POST requests to /zenworks/UploadServlet containing directory traversal sequences (e.g., '../') in the 'uid' query parameter combined with a '.war' filename in the 'filename' parameter. ↗
- →Alert on HTTP GET requests to /zenworks/UploadServlet returning HTTP 200 with body matching 'ZENworks File Upload Servlet' — this is the fingerprinting/check request used by the Metasploit module. ↗
- →Monitor for WAR file uploads (Content-Type: application/octet-stream) to the ZCM UploadServlet endpoint, particularly where the uid parameter traverses to a Tomcat webapps directory. ↗
- →No authentication is required to exploit this vulnerability; any unauthenticated POST to UploadServlet with traversal in uid should be treated as a high-severity alert. ↗
- ·The traversal path in the uid parameter differs between Windows and Linux ZCM installations; defenders should account for both known paths. ↗
- ·The Metasploit module allows an operator-supplied custom TOMCAT_PATH, meaning the traversal string is not fixed and may vary beyond the two known default paths. ↗
- ·The deployed WAR app_base name is randomly generated alphanumeric, so the follow-up trigger request URI will not be predictable for signature matching. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell ZENworks Configuration Management - Arbitrary File Upload (Metasploit)
exploitdb·2015-05-08
CVE-2015-0779 Novell ZENworks Configuration Management - Arbitrary File Upload (Metasploit)
Novell ZENworks Configuration Management - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Novell ZENworks Configuration Management Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in Novell ZENworks Configuration
Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in
the UploadServlet which accepts unauthenticated file uploads and does not check the
"uid" parameter for directory traversal characters. This allows an attacker to write
anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat
webapps directory. ZCM up to (and inc
Exploit-DB
Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution
exploitdb·2015-04-08
CVE-2015-0779 Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution
Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution
---
>> Remote code execution in Novell ZENworks Configuration Management 11.3.1
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 07/04/2015 / Last updated: 07/04/2015
>> Background on the affected product:
"Automate and accelerate your Windows 7 migration
Microsoft estimates that it can take more than 20 hours to migrate a
single machine to Windows 7. Novell ZENworks Configuration Management
is ready to dramatically accelerate and automate every aspect of your
Windows 7 migration efforts.
Boost user productivity
Use Novell ZENworks Configuration Management to make sure users always
have access to the resources they need regardless of where they work
or what devices they use.
Metasploit
Novell ZENworks Configuration Management Arbitrary File Upload
metasploit
Novell ZENworks Configuration Management Arbitrary File Upload
Novell ZENworks Configuration Management Arbitrary File Upload
This module exploits a file upload vulnerability in Novell ZENworks Configuration Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters. This allows an attacker to write anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a Metasploit exploit, but it abuses a different parameter of the same serv
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2015/Apr/21https://github.com/rapid7/metasploit-framework/pull/5096https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txthttps://www.exploit-db.com/exploits/36964/https://www.novell.com/support/kb/doc.php?id=7016419http://seclists.org/fulldisclosure/2015/Apr/21https://github.com/rapid7/metasploit-framework/pull/5096https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txthttps://www.exploit-db.com/exploits/36964/https://www.novell.com/support/kb/doc.php?id=7016419
2015-06-07
Published