Novell Administration Console Arbitrary File Upload Vulnerability (CVE-2010-0284)

  • 7006255
  • 10-Jun-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Administration Console on Windows
Novell Access Manager 3.1 Support Pack 1 applied

Situation

Using external scripts, it is possible to upload files to the Admin Console on Windows without requiring authentication. The issue is not visible on the Linux Admin Console platforms, and occurs because of the way the iManager server handles the path seperators on Windows. 

Resolution

Update to Access Manager 3.1 Support Pack 2 (build 3.1.2-281 or greater).

Additional Information

This vulnerability allows remote attackers to upload arbitrary files on
vulnerable installations of Novell Access Manager. Authentication is not
required to exploit this vulnerability.

The specific flaw exists within the PortalModuleInstallManager component
of the Novell Access Management Console which exists within the servlet located
within nps.jar. Due to a failure to sanitize '../' directory traversal
modifiers from a parameter an attacker can specify any filename to
upload arbitrary contents into. Successful exploitation can result in
code execution under the context of the service.



-- CREDIT --------------------------------------------------------------

This was reported as ZDI-CAN-635 by TippingPoint Corporation. The vulnerability was discovered by:
* Stephen Fewer of Harmony Security (www.harmonysecurity.com)