Novell File Reporter FSFUI Arbitrary File Retrieval

November 27, 2012

Novell File Reporter is software that allows network administrators to identify files stored on the network and generates reports regarding the size of individual files, file type, when files were last accessed, and where duplicates exist. Additionally, the File Reporter tracks storage volume capacity and usage. It is a component of the Novell File Management Suite.

Novell File Reporter examines and reports on terabytes of data via a central reporting engine (NFR Engine) and distributed agents (NFR Agents). The NFR Engine schedules the scans of file instances conducted by NFR Agents, processes and compiles the scans for reporting purposes, and provides report information to the user interface. The NFR Engine when working in either eDirectory or Active Directory connects to the directory via a Directory Services Interface (DSI) and thus can monitors and checks file permissions.

NFR Agents communicate with HTTPS protocol on port 3037 by default. A request is sent to the NFR Agent as an XML-formatted request body of a POST request. One example of the XML contents can be:

  FSFUI 126 filename  

A file retrieval vulnerability exists in Novell File Reporter. The vulnerability is due to lack of authorization on certain requests which return the contents of a file. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to the NFR Agent service. Successful exploitation can result in arbitrary file retrieval with SYSTEM privileges.

Dell SonicWALL IPS team has researched this vulnerability and released the following IPS signature to detect the attacks.

  • 9273 Novell File Reporter FSFUI Arbitrary File Retrieval

An existing generic Directory Traversal detection signature will also take effect in most of the cases.

  • 6613 Server Application Directory Traversal Attack 6

This vulnerability has been referred by CVE as CVE-2012-4958.