ZENWorks' Accidental Backdoor
This week, we saw the release of Metasploit exploit developer Juan Vazquez's freshly discovered vulnerability in Novell ZENWorks. You can read all about it in Juan's great technical blog post, but the short version for the attention-deprived is: Novell ZENWorks ships with hard-coded credentials, which allow for SYSTEM-level file system read access.
That seems like kind of a big deal for ZENWorks users -- namely because there's no reasonable way to change these credentials in the ZENWorks interface. I don't know about you, but that sounds like a backdoor to me.
Of course, we take reasonable disclosure pretty seriously here. We don't call it "responsible disclosure," since that's usually just code for "secretly inform vendors and wait on their schedule before warning users," nor is it "full disclosure," because we don't just drop 0day as soon as we find it. I think what we do here at Rapid7 as a very reasonable middle ground. In this case, we notified the vendor, we shared with US-CERT, and now we're letting the users know, all on a predictable time table.
For what it's worth, most vendors can ship a bugfix given a couple months' notice. For whatever reason, we haven't seen a fix from Novell on this one yet, so if you're a customer, you might have better luck than us (and US-CERT) in getting a reasonable response. In the mean time, feel free to validate the backdoor yourself with Juan's spiffy Metasploit modules, linked below.
In other exploit dev news, we're also shipping this week James "Egypt" Lee's PHP EXE payload. This library should help automating the generation of a hundred thousand more remote, arbitrary PHP code execution vulns in the universe of hastily-written PHP apps.
So, for ARCH_PHP targets, the PhpEXE payload simply returns the given encoded payload wrapped in <?php ?> markers.
For target architectures other than ARCH_PHP, this will base64 encode an appropriate executable and drop it on the target system. After running it, the generated code will attempt to unlink the dropped executable. Note that unlinking executables in this way nearly always fails on Windows, so you will certainly leave artifacts of exploitation behind there.
Kernelsmith Becomes Open Source Issue Manager
This week, long-time Metasploit contributor and #metasploit IRC troublemaker Kernelsmith stepped up and volunteered to serve as a volunteer issue manager. Hooray! What this means is that we'll have someone around championing your bug reports and feature requests who is a) already capable with Metasploit b) already active in the Metasploit community and c) not beholden to a Rapid7 paycheck.
This last bit is important for the whole open source ethos that we're pursuing with Metasploit. Kernelsmith cares about the free Metasploit Framework first and foremost, mainly because he uses it all the time. Because of this, he's a pretty ideal ombudsman-type figure to keep us honest and responsive to your bugs.
Of course, it's important to note that Kernelsmith isn't our community whipping boy. He has a life and a job and all that, and though he loves Metasploit at least as much as I do, he really is "just" volunteering to help clean up our issue tracking act. So, let's be nice and not try to pile on all our drudgery all at once.
So, if you have a bug that's been languishing on the pile over on our Redmine issue tracker, take heart -- Kernelsmith is, at this very moment, separating the wheat from the chaff. If you don't see progress on your pet bug in the immediate term, feel free to bump it via a Redmine comment. We have a bit of a backlog to work through, but with Kernelsmith's and your help, we should be making some real progress on responsive and responsible issue management in the coming weeks.
Here's the breakdown with the links to Metasploit's Exploit Database.
- Novell ZENworks Asset Management 7.5 Remote File Access by juan vazquez exploits CVE-2012-4933
- Novell ZENworks Asset Management 7.5 Configuration Access by juan vazquez exploits CVE-2012-4933
- AjaXplorer checkInstall.php Remote Command Execution by sinn3r, David Maciejak, and Julien Cayssol exploits OSVDB-63552
- Project Pier Arbitrary File Upload Vulnerability by sinn3r and BlackHawk exploits OSVDB-85881
- KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability by juan vazquez and rgod exploits ZDI-12-169
- Windows Escalate Service Permissions Local Privilege Escalation by scriptjunkie
Auxiliary and Post modules
- Apache ActiveMQ JSP files Source Disclosure by juan vazquez and Veerendra G.G exploits CVE-2010-1587
- Apache ActiveMQ Directory Traversal by juan vazquez and AbdulAziz Hariri
- Safe Delete Meterpreter Module by Borja Merino
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.