####################################################################### Luigi Auriemma Application: Novell ZenWorks Handheld Management http://www.novell.com/products/zenworks/handhelds/ Versions: <= 7.0.2.61213 Platforms: Windows, Linux, NetWare Bug: upload directory traversal Exploitation: remote, versus server Date: 27 Jun 2011 (found 25 Apr 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Novell ZENworks Handheld Management helps you to standardize, deploy, and manage software and device configurations across your entire organization." ####################################################################### ====== 2) Bug ====== ZfHSrvr.exe is a service listening on port 2398. The sub-opcode 0x06 of opcode 0x01 calls the ReceiveAppMessage function in Common.dll that creates a file in the MQueue folder of the service having the name composed by messageID plus the ".msg" extension. Through the usage of the byte 0x00 at the end of messageID it's possible to avoid the appending of the extension and creating the file outside the MQueue folder via directory traversal. The following is the format of the opcode 0x06 (offset 0x34 of the proof-of-concept): 1 isCompressed ? messageID (C:\Program Files\Novell\ZfH\MQueue\filename.msg) 1 priority 4 totalMessageSize 4 appID ? part of file's content 1 isDeleted (if != 0 reads some chunks) Notes about the proof-of-concept: The 32bit value at offset 0x3 is a number between 0 and 0x10, in case of doubts it can be easily scanned. While the string at offset 0x12 is the name/ID of the server and I have set it to "" so that it can be modified accordingly to the test server (the ID is 14 bytes long and I have left 16 bytes free to edit). This string is the InstallationID field located in the "Machines" table of the ServerData.mdb database and it's a time related field. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/zfhsrvr_1.dat nc SERVER 2398 < zfhsrvr_1.dat ####################################################################### ====== 4) Fix ====== No fix. #######################################################################