[NEWS] Novell ZENWorks Multiple Remote Overflows
From: SecuriTeam (support_at_securiteam.com)
Date: 05/19/05
- Previous message: SecuriTeam: "[NEWS] JavaMail Information Disclosure (msgno)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 May 2005 16:13:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Novell ZENWorks Multiple Remote Overflows
------------------------------------------------------------------------
SUMMARY
"Novell ZENworks provides Remote Management capabilities to large
networks. In order to manage remote nodes ZENworks implements an
authentication protocol to verify the requestor is authorized for a
transaction. This authentication protocol contains several stack and heap
overflows that can be triggered by an unauthenticated remote attacker to
obtain control of the system that requires authentication. These overflows
are the result of unchecked copy values, sign misuse, and integer wraps."
Several remote stack/heap overflow vulnerabilities was discovered in
Novell ZENWorks. Exploiting those vulnerabilities may lead to executing
arbitrary code on the vulnerable system, thus gaining full controll over
it.
DETAILS
Vulnerable Systems:
* Novell ZENworks (all versions)
There are several arbitrary heap overflows with no character restrictions
that are the result of integer wraps. These integer wraps occur because
words from the network are sign extended and then incremented. The results
of these calculations are passed to new(0). Input of -1 to these
calculations will result in small memory allocations and negative length
receives to overflow the allocated memory.
There is an arbitrary stack overflow with no character restrictions in the
authentication negotiation for type 1 authentication requests. The stack
overflow is a result of an unchecked password length used as the copy
length for the password to a stack variable only 0x1C bytes long.
There are several arbitrary stack overflows with no character restrictions
in the authentication negotiation for type 2 authentication requests. All
are the result of unchecked lengths being used to copy arbitrary network
data to an argument that is a stack variable of the caller. These lengths
also contain integer wraps and sign misuse issues.
Successful exploitation of ZENworks allows attackers unauthorized control
of related data and privileges on the machine and network. It also
provides attackers leverage for further network compromise. Most likely
the ZENworks implementation will be vulnerable in its default
configuration.
All versions of Novell ZENworks are vulnerable. If the authentication
negotiation is used in other products, they are also likely to be
vulnerable. Refer to Novell for specifics.
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@rem0te.com>
rem0te.com.
The original article can be found at:
<http://www.rem0te.com/public/images/zen.pdf>
http://www.rem0te.com/public/images/zen.pdf,
<http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm>
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] JavaMail Information Disclosure (msgno)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
