Novell ZENworks LaunchHelp.dll ActiveX Control LaunchProcess Code Execution

Added: 11/14/2011
CVE: CVE-2011-2657
BID: 50274
OSVDB: 76700


Novell ZENworks Configuration Management is an IT desktop computer management suite that provides the ability to install, configure and administer desktop computers from a centralized location. The product is based on a client/server architecture.

Novell ZENworks Configuration Management includes AdminStudio by Novell technical partner Flexera Software. AdminStudio provides a complete suite of automated packaging, customization, conflict resolution, and quality assurance tools.


The LaunchProcess function in the LaunchHelp.dll ActiveX Control is vulnerable to directory traversal because it fails to validate a command path argument. A remote attacker that persuades a user to open a malicious web page or file could execute arbitrary code on the target system.


Apply patches as described in 7009570.



Exploit works on Novell ZENWorks AdminStudio 10.0 SP2.

The user must open the exploit in Internet Explorer 7 or 8 on the target.



Back to exploit index