Thursday, 22 July 2010

Novell Teaming Arbitrary File Upload Remote Code Execution Vulnerability

TippingPoint's Zero Day Initiative (ZDI) have published an advisory for a remote pre authentication arbitrary file upload vulnerability in Novell Teaming for both Windows and Linux that leads to arbitrary code execution. This vulnerability was discovered by Stephen Fewer of Harmony Security.

You can read the full ZDI advisory here:
http://www.zerodayinitiative.com/advisories/ZDI-10-136/

And you can access the Novell patch here:
http://download.novell.com/Download?buildid=gz4IRLKEfDo~

2 comments:

Anonymous said...

The patch doesn't seem to modify the affected ajaxUploadImageFile method in any way.

I can reach:

String prefix = String.valueOf(fileName.length()) + "-" + fileName + "_";

and I can obviously change the prefix (location of the temp file) but its not clear to me how to change the suffix.

Can you shed any light?

Thanks!

Stephen Fewer said...

Java lets you have null bytes in strings, so you can use any extension you want with a simple null before the valid extension in order to write an arbitrary extension to disk, e.g. sending the following input into a vulnerable webapp...

file = "\\somepath\\hello.jsp\x00.jpg"