Novell ZENworks Mobile Management DUSAP.php Language Parameter Vulnerability

Added: 07/18/2013
CVE: CVE-2013-1082
BID: 60179
OSVDB: 91118

Background

ZENworks Mobile Management (ZMM) offers centralized management tools that are useful for deploying new mobile devices in the workforce, whether those devices are company-issued or privately owned. ZMM ensures that users have the right credentials and access levels for company e-mail, calendar and contacts, as well as the right applications and files for each device. ZMM can also track device usage and the applications that users download onto their devices.

Problem

Novell ZMM 2.7.0 and 2.6.1, and probably earlier versions, are vulnerable to local file inclusion via a directory traversal style attack which could allow a remote unauthenticated attacker to execute arbitrary commands or code. The issue is due to the DUSAP.php script not properly sanitizing user input supplied to the language parameter, thereby allowing an attacker to include a file from the targeted host that could contain arbitrary commands or code that will be executed by the vulnerable script. In addition, this flaw could be used to disclose the contents of any file on the system accessible by the web server via require_once().

Resolution

Upgrade to Novell ZMM 2.7.1 when available.

References

http://www.novell.com/support/kb/doc.php?id=7011896
http://www.zerodayinitiative.com/advisories/ZDI-13-088/

Limitations

This exploit was tested against Novell ZENworks Mobile Management 2.6.0 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).

The Perl module MIME::Base64 is required to run the exploit.

Platforms

Windows

Back to exploit index