[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: NOVELL ZENWORKS MULTIPLE =?utf-8?Q?REM=C3=98TE?= STACK & HEAP OVERFLOWS
From: list () rem0te ! com
Date: 2005-05-18 21:07:53
Message-ID: W5012527307152801116450473 () webmail2
[Download RAW message or body]
Date
May 18, 2005
Vulnerabilities
Novell ZENworks provides Remote Management capabilities to large networks. In order \
to manage remote nodes ZENworks implements an authentication protocol to verify the \
requestor is authorized for a transaction. This authentication protocol contains \
several stack and heap overflows that can be triggered by an unauthenticated remote \
attacker to obtain control of the system that requires authentication. These \
overflows are the result of unchecked copy values, sign misuse, and integer wraps.
There are several arbitrary heap overflows with no character restrictions that are \
the result of integer wraps. These integer wraps occur because words from the network \
are sign extended and then incremented. The results of these calculations are passed \
to new(0). Input of -1 to these calculations will result in small memory allocations \
and negative length receives to overflow the allocated memory.
There is an arbitrary stack overflow with no character restrictions in the \
authentication negotiation for type 1 authentication requests. The stack overflow is \
a result of an unchecked password length used as the copy length for the password to \
a stack variable only 0x1C bytes long.
There are several arbitrary stack overflows with no character restrictions in the \
authentication negotiation for type 2 authentication requests. All are the result of \
unchecked lengths being used to copy arbitrary network data to an argument that is a \
stack variable of the caller. These lengths also contain integer wraps and sign \
misuse issues.
Impact
Successful exploitation of ZENworks allows attackers unauthorized control of related \
data and privileges on the machine and network. It also provides attackers leverage \
for further network compromise. Most likely the ZENworks implementation will be \
vulnerable in its default configuration.
Affected Products
All versions of Novell ZENworks are vulnerable. If the authentication negotiation is \
used in other products, they are also likely to be vulnerable. Refer to Novell for \
specifics.
Advisories:
http://www.rem0te.com/public/images/zen.pdf
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm
Credit
These vulnerabilities were discovered and researched by Alex Wheeler.
Contact
security@rem0te.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic