A zero-day vulnerability in Novell ZENworks Asset Management Software 7.5 gives access to any files with system privileges and could also allow an attacker to grab configuration parameters, including the backend credentials in clear text, according to Rapid7 exploit developer Juan Vazquez who discovered the vulnerability and wrote an exploit module for Metasploit
The program’s Web interface makes a number of maintenance calls, according to the report. Two of these, GetConfigInfo_Password and GetFile_Password are protected by and accessible through hardcoded credentials. Vazquez found the same username/password combination worked in both cases.
Once Vazquez knew this, he could access any of the files in the file system through the GetFile_Password function and any of the configuration parameters including the backend credentials in plain text with the GetConfigInfo_Password function.
ZENworks Asset Manager is a Web-based management console that integrates asset inventory, software usage, software management and contract management. Users can also access network device data and edit information through the console.
Metasploit notified both Novell and CERT, as per its disclosure policy.
You can read more about Vazquez’s exploitation of this vulnerability and find two auxiliary modules that will give Metasploit users the ability to test their ZENworks software here.
US-CERT is not currently aware of any solutions to the problem, but you can find its temporary workaround here.