mailing list archives
NOVELL ZENWORKS MULTIPLE REMØTE STACK & HEAP OVERFLOWS
From: list () rem0te com
Date: Wed, 18 May 2005 21:07:53 +0000
May 18, 2005
Novell ZENworks provides Remote Management capabilities to large networks. In order to manage remote nodes ZENworks
implements an authentication protocol to verify the requestor is authorized for a transaction. This authentication
protocol contains several stack and heap overflows that can be triggered by an unauthenticated remote attacker to
obtain control of the system that requires authentication. These overflows are the result of unchecked copy values,
sign misuse, and integer wraps.
There are several arbitrary heap overflows with no character restrictions that are the result of integer wraps. These
integer wraps occur because words from the network are sign extended and then incremented. The results of these
calculations are passed to new(0). Input of -1 to these calculations will result in small memory allocations and
negative length receives to overflow the allocated memory.
There is an arbitrary stack overflow with no character restrictions in the authentication negotiation for type 1
authentication requests. The stack overflow is a result of an unchecked password length used as the copy length for the
password to a stack variable only 0x1C bytes long.
There are several arbitrary stack overflows with no character restrictions in the authentication negotiation for type 2
authentication requests. All are the result of unchecked lengths being used to copy arbitrary network data to an
argument that is a stack variable of the caller. These lengths also contain integer wraps and sign misuse issues.
Successful exploitation of ZENworks allows attackers unauthorized control of related data and privileges on the machine
and network. It also provides attackers leverage for further network compromise. Most likely the ZENworks
implementation will be vulnerable in its default configuration.
All versions of Novell ZENworks are vulnerable. If the authentication negotiation is used in other products, they are
also likely to be vulnerable. Refer to Novell for specifics.
These vulnerabilities were discovered and researched by Alex Wheeler.
security () rem0te com
- NOVELL ZENWORKS MULTIPLE REMØTE STACK & HEAP OVERFLOWS list (May 18)