[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP OVERFLOWS
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <list@xxxxxxxxxx>
- Subject: Re: [Full-disclosure] NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP OVERFLOWS
- From: <bart2k@xxxxxxxxxxxx>
- Date: Thu, 19 May 2005 11:43:25 -0700
Hey is it just me is this vulnerbaility accessible via UDP !
If I'm reading this correctly then it would make an interesting
worm PoC for these folks:
http://www.novell.com/servlet/CRS?reference_name=&-
op=%25&Action=Start+Search&Submit=Start+Search&source=novl&full_text
_limit=showcase_verbiage+%2C+press_release&MaxRows=0&product=0&&solu
tions=0&
Feel free to correct me if I have read this advisory wrong
Thx
On Wed, 18 May 2005 14:07:53 -0700 list@xxxxxxxxxx wrote:
>Date
>May 18, 2005
>
>Vulnerabilities
>Novell ZENworks provides Remote Management capabilities to large
>networks. In order to manage remote nodes ZENworks implements an
>authentication protocol to verify the requestor is authorized for
>a transaction. This authentication protocol contains several stack
>and heap overflows that can be triggered by an unauthenticated
>remote attacker to obtain control of the system that requires
>authentication. These overflows are the result of unchecked copy
>values, sign misuse, and integer wraps.
>
>There are several arbitrary heap overflows with no character
>restrictions that are the result of integer wraps. These integer
>wraps occur because words from the network are sign extended and
>then incremented. The results of these calculations are passed to
>new(0). Input of -1 to these calculations will result in small
>memory allocations and negative length receives to overflow the
>allocated memory.
>
>There is an arbitrary stack overflow with no character
>restrictions in the authentication negotiation for type 1
>authentication requests. The stack overflow is a result of an
>unchecked password length used as the copy length for the password
>to a stack variable only 0x1C bytes long.
>
>There are several arbitrary stack overflows with no character
>restrictions in the authentication negotiation for type 2
>authentication requests. All are the result of unchecked lengths
>being used to copy arbitrary network data to an argument that is a
>stack variable of the caller. These lengths also contain integer
>wraps and sign misuse issues.
>
>Impact
>Successful exploitation of ZENworks allows attackers unauthorized
>control of related data and privileges on the machine and network.
>It also provides attackers leverage for further network
>compromise. Most likely the ZENworks implementation will be
>vulnerable in its default configuration.
>
>Affected Products
>All versions of Novell ZENworks are vulnerable. If the
>authentication negotiation is used in other products, they are
>also likely to be vulnerable. Refer to Novell for specifics.
>
>Advisories:
>http://www.rem0te.com/public/images/zen.pdf
>http://support.novell.com/cgi-
>bin/search/searchtid.cgi?/10097644.htm
>
>Credit
>These vulnerabilities were discovered and researched by Alex
>Wheeler.
>
>Contact
>security@xxxxxxxxxx
>
>
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/