Re: NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP OVERFLOWS

[<bart2k () hushmail com>]

Hey is it just me is this vulnerbaility accessible via UDP !

If I'm reading this correctly then it would make an interesting 
worm PoC for these folks:

http://www.novell.com/servlet/CRS?reference_name=&-
op=%25&Action=Start+Search&Submit=Start+Search&source=novl&full_text
_limit=showcase_verbiage+%2C+press_release&MaxRows=0&product=0&&solu
tions=0& 

Feel free to correct me if I have read this advisory wrong

Thx


On Wed, 18 May 2005 14:07:53 -0700 list () rem0te com wrote:
> Date
> May 18, 2005
>
> Vulnerabilities
> Novell ZENworks provides Remote Management capabilities to large 
> networks. In order to manage remote nodes ZENworks implements an 
> authentication protocol to verify the requestor is authorized for 
> a transaction. This authentication protocol contains several stack 

> and heap overflows that can be triggered by an unauthenticated 
> remote attacker to obtain control of the system that requires 
> authentication. These overflows are the result of unchecked copy 
> values, sign misuse, and integer wraps. 
>
> There are several arbitrary heap overflows with no character 
> restrictions that are the result of integer wraps. These integer 
> wraps occur because words from the network are sign extended and 
> then incremented. The results of these calculations are passed to 
> new(0). Input of -1 to these calculations will result in small 
> memory allocations and negative length receives to overflow the 
> allocated memory.
>
> There is an arbitrary stack overflow with no character 
> restrictions in the authentication negotiation for type 1 
> authentication requests. The stack overflow is a result of an 
> unchecked password length used as the copy length for the password 

> to a stack variable only 0x1C bytes long.
>
> There are several arbitrary stack overflows with no character 
> restrictions in the authentication negotiation for type 2 
> authentication requests. All are the result of unchecked lengths 
> being used to copy arbitrary network data to an argument that is a 

> stack variable of the caller. These lengths also contain integer 
> wraps and sign misuse issues.
>
> Impact
> Successful exploitation of ZENworks allows attackers unauthorized 
> control of related data and privileges on the machine and network. 

> It also provides attackers leverage for further network 
> compromise. Most likely the ZENworks implementation will be 
> vulnerable in its default configuration.
>
> Affected Products
> All versions of Novell ZENworks are vulnerable. If the 
> authentication negotiation is used in other products, they are 
> also likely to be vulnerable. Refer to Novell for specifics.
>
> Advisories:
> http://www.rem0te.com/public/images/zen.pdf
> http://support.novell.com/cgi-
> bin/search/searchtid.cgi?/10097644.htm
>
> Credit
> These vulnerabilities were discovered and researched by Alex 
> Wheeler.
>
> Contact
> security () rem0te com 
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/