Full Disclosure mailing list archives
Re: NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP OVERFLOWS
From: <bart2k () hushmail com>
Date: Thu, 19 May 2005 11:43:25 -0700
Hey is it just me is this vulnerbaility accessible via UDP ! If I'm reading this correctly then it would make an interesting worm PoC for these folks: http://www.novell.com/servlet/CRS?reference_name=&- op=%25&Action=Start+Search&Submit=Start+Search&source=novl&full_text _limit=showcase_verbiage+%2C+press_release&MaxRows=0&product=0&&solu tions=0& Feel free to correct me if I have read this advisory wrong Thx On Wed, 18 May 2005 14:07:53 -0700 list () rem0te com wrote:
Date May 18, 2005 Vulnerabilities Novell ZENworks provides Remote Management capabilities to large networks. In order to manage remote nodes ZENworks implements an authentication protocol to verify the requestor is authorized for a transaction. This authentication protocol contains several stack
and heap overflows that can be triggered by an unauthenticated remote attacker to obtain control of the system that requires authentication. These overflows are the result of unchecked copy values, sign misuse, and integer wraps. There are several arbitrary heap overflows with no character restrictions that are the result of integer wraps. These integer wraps occur because words from the network are sign extended and then incremented. The results of these calculations are passed to new(0). Input of -1 to these calculations will result in small memory allocations and negative length receives to overflow the allocated memory. There is an arbitrary stack overflow with no character restrictions in the authentication negotiation for type 1 authentication requests. The stack overflow is a result of an unchecked password length used as the copy length for the password
to a stack variable only 0x1C bytes long. There are several arbitrary stack overflows with no character restrictions in the authentication negotiation for type 2 authentication requests. All are the result of unchecked lengths being used to copy arbitrary network data to an argument that is a
stack variable of the caller. These lengths also contain integer wraps and sign misuse issues. Impact Successful exploitation of ZENworks allows attackers unauthorized control of related data and privileges on the machine and network.
It also provides attackers leverage for further network compromise. Most likely the ZENworks implementation will be vulnerable in its default configuration. Affected Products All versions of Novell ZENworks are vulnerable. If the authentication negotiation is used in other products, they are also likely to be vulnerable. Refer to Novell for specifics. Advisories: http://www.rem0te.com/public/images/zen.pdf http://support.novell.com/cgi- bin/search/searchtid.cgi?/10097644.htm Credit These vulnerabilities were discovered and researched by Alex Wheeler. Contact security () rem0te com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP OVERFLOWS bart2k (May 19)