####################################################################### Luigi Auriemma Application: Novell ZenWorks Asset Management http://www.novell.com/products/zenworks/assetmanagement/ Versions: <= 7.5.0.11 ZenWorks 11 is not affected Platforms: Windows, Linux, NetWare Bug: upload directory traversal Exploitation: remote, versus server and clients Date: 16 Aug 2011 (found 29 Jun 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ZenWorks 7 is the previous branch of the Novell ZenWorks product. During summer 2011 Novell suggested a migration from ZenWorks 7 to 11 due to the termination of the support for this old version: http://www.novell.com/promo/endpoint/zen7_faq.html Anyway a similar migration (ZenWorks 11 is completely different than 7) is not a so easy task so I guess this advisory could be more than just a "historical" reference. ####################################################################### ====== 2) Bug ====== IMPORTANT: ZenWorks 11 is completely different than the previous versions, that's why the vulnerable services exist ONLY in the pre-11 versions. ColSvrCore, CClient and TaskServerCore are services using the same protocol and listening on ports 7460, 7461 and 7465. The opcode 0x28 is used to create a file in the folder "Inbox-Cps", the 0x32 one is used for writing data and 0x3c to close it. There are no checks on opcode 0x28 and indeed is possible to exploit the relative directory traversal. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/zenasset_1.dat nc SERVER 7460 < zenasset_1.dat nc CLIENT 7461 < zenasset_1.dat nc SERVER 7465 < zenasset_1.dat ####################################################################### ====== 4) Fix ====== ZenWorks 7 is no longer supported by Novell so the customers must migrate to ZenWorks 11. #######################################################################