NOVELL ZENWORKS MULTIPLE REMØTE STACK & HEAP OVERFLOWS

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: NOVELL ZENWORKS MULTIPLE REMØTE STACK & HEAP OVERFLOWS
From: list@xxxxxxxxxx
Date: Wed, 18 May 2005 21:07:53 +0000
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sensitivity: Normal

Date
May 18, 2005

Vulnerabilities
Novell ZENworks provides Remote Management capabilities to large networks. In 
order to manage remote nodes ZENworks implements an authentication protocol to 
verify the requestor is authorized for a transaction. This authentication 
protocol contains several stack and heap overflows that can be triggered by an 
unauthenticated remote attacker to obtain control of the system that requires 
authentication. These overflows are the result of unchecked copy values, sign 
misuse, and integer wraps.

There are several arbitrary heap overflows with no character restrictions that 
are the result of integer wraps. These integer wraps occur because words from 
the network are sign extended and then incremented. The results of these 
calculations are passed to new(0). Input of -1 to these calculations will 
result in small memory allocations and negative length receives to overflow the 
allocated memory.

There is an arbitrary stack overflow with no character restrictions in the 
authentication negotiation for type 1 authentication requests. The stack 
overflow is a result of an unchecked password length used as the copy length 
for the password to a stack variable only 0x1C bytes long.

There are several arbitrary stack overflows with no character restrictions in 
the authentication negotiation for type 2 authentication requests. All are the 
result of unchecked lengths being used to copy arbitrary network data to an 
argument that is a stack variable of the caller. These lengths also contain 
integer wraps and sign misuse issues.

Impact
Successful exploitation of ZENworks allows attackers unauthorized control of 
related data and privileges on the machine and network. It also provides 
attackers leverage for further network compromise. Most likely the ZENworks 
implementation will be vulnerable in its default configuration.

Affected Products
All versions of Novell ZENworks are vulnerable. If the authentication 
negotiation is used in other products, they are also likely to be vulnerable. 
Refer to Novell for specifics.

Advisories:
http://www.rem0te.com/public/images/zen.pdf
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm

Credit
These vulnerabilities were discovered and researched by Alex Wheeler.

Contact
security@xxxxxxxxxx

Prev by Date: Re: Mac OS X - Adobe Version Cue local root exploit [c version exploit]
Next by Date: [FLSA-2005:152883] Updated mozilla packages fix security issues
Previous by thread: Re: Mac OS X - Adobe Version Cue local root exploit [c version exploit]
Next by thread: [FLSA-2005:152883] Updated mozilla packages fix security issues
Index(es):
- Date
- Thread