Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP OVERFLOWS
From: <bart2k () hushmail com>
Date: Thu, 19 May 2005 11:43:25 -0700

Hey is it just me is this vulnerbaility accessible via UDP !

If I'm reading this correctly then it would make an interesting 
worm PoC for these folks:

http://www.novell.com/servlet/CRS?reference_name=&-
op=%25&Action=Start+Search&Submit=Start+Search&source=novl&full_text
_limit=showcase_verbiage+%2C+press_release&MaxRows=0&product=0&&solu
tions=0& 

Feel free to correct me if I have read this advisory wrong

Thx


On Wed, 18 May 2005 14:07:53 -0700 list () rem0te com wrote:
Date
May 18, 2005

Vulnerabilities
Novell ZENworks provides Remote Management capabilities to large 
networks. In order to manage remote nodes ZENworks implements an 
authentication protocol to verify the requestor is authorized for 
a transaction. This authentication protocol contains several stack 

and heap overflows that can be triggered by an unauthenticated 
remote attacker to obtain control of the system that requires 
authentication. These overflows are the result of unchecked copy 
values, sign misuse, and integer wraps. 

There are several arbitrary heap overflows with no character 
restrictions that are the result of integer wraps. These integer 
wraps occur because words from the network are sign extended and 
then incremented. The results of these calculations are passed to 
new(0). Input of -1 to these calculations will result in small 
memory allocations and negative length receives to overflow the 
allocated memory.

There is an arbitrary stack overflow with no character 
restrictions in the authentication negotiation for type 1 
authentication requests. The stack overflow is a result of an 
unchecked password length used as the copy length for the password 

to a stack variable only 0x1C bytes long.

There are several arbitrary stack overflows with no character 
restrictions in the authentication negotiation for type 2 
authentication requests. All are the result of unchecked lengths 
being used to copy arbitrary network data to an argument that is a 

stack variable of the caller. These lengths also contain integer 
wraps and sign misuse issues.

Impact
Successful exploitation of ZENworks allows attackers unauthorized 
control of related data and privileges on the machine and network. 

It also provides attackers leverage for further network 
compromise. Most likely the ZENworks implementation will be 
vulnerable in its default configuration.

Affected Products
All versions of Novell ZENworks are vulnerable. If the 
authentication negotiation is used in other products, they are 
also likely to be vulnerable. Refer to Novell for specifics.

Advisories:
http://www.rem0te.com/public/images/zen.pdf
http://support.novell.com/cgi-
bin/search/searchtid.cgi?/10097644.htm

Credit
These vulnerabilities were discovered and researched by Alex 
Wheeler.

Contact
security () rem0te com 






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP OVERFLOWS bart2k (May 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]