####################################################################### Luigi Auriemma Application: Novell File Reporter http://www.novell.com/products/file-reporter/ Versions: <= 1.0.4.2 Platforms: Windows, Linux, NetWare Bug: arbitrary files deletion Exploitation: remote, versus server Date: 27 Jun 2011 (found 18 Apr 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Novell File Reporter is a software that creates reports on the state and activity of files and storages. ####################################################################### ====== 2) Bug ====== NFRAgent.exe is a SYSTEM service listening on the default HTTPS port 3037. Through the NAME SRS, OPERATION 4 and CMD 5 is possible to delete any arbitrary file on the remote system and shares with SYSTEM privileges since the service calls directly DeleteFileA with the string provided in our PATH value. The sequence of chars before the RECORD data is the md5 hash calculated on a string composed by such data placed between the strings "SRS" and "SERVER". ####################################################################### =========== 3) The Code =========== http://aluigi.org/mytoolz/stcppipe.zip http://aluigi.org/poc/nfr_2.dat stcppipe -Y 2 SERVER 3037 1234 nc 127.0.0.1 1234 < nfr_2.dat the deleted file will be c:\windows\myfile.txt ####################################################################### ====== 4) Fix ====== No fix. #######################################################################