[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    NOVELL ZENWORKS MULTIPLE =?utf-8?Q?REM=C3=98TE?= STACK & HEAP OVERFLOWS
From:       list () rem0te ! com
Date:       2005-05-18 21:07:53
Message-ID: W5012527307152801116450473 () webmail2
[Download RAW message or body]

Date
May 18, 2005

Vulnerabilities
Novell ZENworks provides Remote Management capabilities to large networks. In order \
to manage remote nodes ZENworks implements an authentication protocol to verify the \
requestor is authorized for a transaction. This authentication protocol contains \
several stack and heap overflows that can be triggered by an unauthenticated remote \
attacker to obtain control of the system that requires authentication. These \
overflows are the result of unchecked copy values, sign misuse, and integer wraps. 

There are several arbitrary heap overflows with no character restrictions that are \
the result of integer wraps. These integer wraps occur because words from the network \
are sign extended and then incremented. The results of these calculations are passed \
to new(0). Input of -1 to these calculations will result in small memory allocations \
and negative length receives to overflow the allocated memory.

There is an arbitrary stack overflow with no character restrictions in the \
authentication negotiation for type 1 authentication requests. The stack overflow is \
a result of an unchecked password length used as the copy length for the password to \
a stack variable only 0x1C bytes long.

There are several arbitrary stack overflows with no character restrictions in the \
authentication negotiation for type 2 authentication requests. All are the result of \
unchecked lengths being used to copy arbitrary network data to an argument that is a \
stack variable of the caller. These lengths also contain integer wraps and sign \
misuse issues.

Impact
Successful exploitation of ZENworks allows attackers unauthorized control of related \
data and privileges on the machine and network. It also provides attackers leverage \
for further network compromise. Most likely the ZENworks implementation will be \
vulnerable in its default configuration.

Affected Products
All versions of Novell ZENworks are vulnerable. If the authentication negotiation is \
used in other products, they are also likely to be vulnerable. Refer to Novell for \
specifics.

Advisories:
http://www.rem0te.com/public/images/zen.pdf
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm

Credit
These vulnerabilities were discovered and researched by Alex Wheeler.

Contact
security@rem0te.com 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic