[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Upload directory traversal in Novell ZenWorks Handheld Management 7.0.2



#######################################################################

                             Luigi Auriemma

Application:  Novell ZenWorks Handheld Management
              http://www.novell.com/products/zenworks/handhelds/
Versions:     <= 7.0.2.61213
Platforms:    Windows, Linux, NetWare
Bug:          upload directory traversal
Exploitation: remote, versus server
Date:         27 Jun 2011 (found 25 Apr 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Novell ZENworks Handheld Management helps you to standardize, deploy,
and manage software and device configurations across your entire
organization."


#######################################################################

======
2) Bug
======


ZfHSrvr.exe is a service listening on port 2398.

The sub-opcode 0x06 of opcode 0x01 calls the ReceiveAppMessage function
in Common.dll that creates a file in the MQueue folder of the service
having the name composed by messageID plus the ".msg" extension.

Through the usage of the byte 0x00 at the end of messageID it's
possible to avoid the appending of the extension and creating the file
outside the MQueue folder via directory traversal.

The following is the format of the opcode 0x06 (offset 0x34 of the
proof-of-concept):
  1   isCompressed
  ?   messageID (C:\Program Files\Novell\ZfH\MQueue\filename.msg)
  1   priority
  4   totalMessageSize
  4   appID
  ?   part of file's content
  1   isDeleted (if != 0 reads some chunks)

Notes about the proof-of-concept:
The 32bit value at offset 0x3 is a number between 0 and 0x10, in case
of doubts it can be easily scanned.
While the string at offset 0x12 is the name/ID of the server and I have
set it to "" so that it can be modified accordingly to the test server
(the ID is 14 bytes long and I have left 16 bytes free to edit).

This string is the InstallationID field located in the "Machines" table
of the ServerData.mdb database and it's a time related field.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/zfhsrvr_1.dat

  nc SERVER 2398 < zfhsrvr_1.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org