Arbitrary files deletion in Novell File Reporter 1.0.4.2

2011.07.19
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

####################################################################### Luigi Auriemma Application: Novell File Reporter http://www.novell.com/products/file-reporter/ Versions: <= 1.0.4.2 Platforms: Windows, Linux, NetWare Bug: arbitrary files deletion Exploitation: remote, versus server Date: 27 Jun 2011 (found 18 Apr 2011) Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Novell File Reporter is a software that creates reports on the state and activity of files and storages. ####################################################################### ====== 2) Bug ====== NFRAgent.exe is a SYSTEM service listening on the default HTTPS port 3037. Through the NAME SRS, OPERATION 4 and CMD 5 is possible to delete any arbitrary file on the remote system and shares with SYSTEM privileges since the service calls directly DeleteFileA with the string provided in our PATH value. The sequence of chars before the RECORD data is the md5 hash calculated on a string composed by such data placed between the strings "SRS" and "SERVER". ####################################################################### =========== 3) The Code =========== http://aluigi.org/mytoolz/stcppipe.zip http://aluigi.org/poc/nfr_2.dat stcppipe -Y 2 SERVER 3037 1234 nc 127.0.0.1 1234 < nfr_2.dat the deleted file will be c:\windows\myfile.txt ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### --- Luigi Auriemma http://aluigi.org

References:

http://www.securityfocus.com/archive/1/archive/1/518626/100/0/threaded
http://securitytracker.com/id?1025716
http://secunia.com/advisories/45071
http://aluigi.org/adv/nfr_2-adv.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top