Arbitrary files deletion in Novell File Reporter 1.0.4.2

2011.07.19
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-399


Ogólna skala CVSS: 5/10
Znaczenie: 2.9/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Brak
Wpływ na integralność: Brak
Wpływ na dostępność: Częściowy

####################################################################### Luigi Auriemma Application: Novell File Reporter http://www.novell.com/products/file-reporter/ Versions: <= 1.0.4.2 Platforms: Windows, Linux, NetWare Bug: arbitrary files deletion Exploitation: remote, versus server Date: 27 Jun 2011 (found 18 Apr 2011) Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Novell File Reporter is a software that creates reports on the state and activity of files and storages. ####################################################################### ====== 2) Bug ====== NFRAgent.exe is a SYSTEM service listening on the default HTTPS port 3037. Through the NAME SRS, OPERATION 4 and CMD 5 is possible to delete any arbitrary file on the remote system and shares with SYSTEM privileges since the service calls directly DeleteFileA with the string provided in our PATH value. The sequence of chars before the RECORD data is the md5 hash calculated on a string composed by such data placed between the strings "SRS" and "SERVER". ####################################################################### =========== 3) The Code =========== http://aluigi.org/mytoolz/stcppipe.zip http://aluigi.org/poc/nfr_2.dat stcppipe -Y 2 SERVER 3037 1234 nc 127.0.0.1 1234 < nfr_2.dat the deleted file will be c:\windows\myfile.txt ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### --- Luigi Auriemma http://aluigi.org

Referencje:

http://www.securityfocus.com/archive/1/archive/1/518626/100/0/threaded
http://securitytracker.com/id?1025716
http://secunia.com/advisories/45071
http://aluigi.org/adv/nfr_2-adv.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top