SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ZENworks Remote Control Vendors:   Novell
Novell ZENworks Remote Management Buffer Overflows in Authentication Protocol Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1014005
SecurityTracker URL:  http://securitytracker.com/id/1014005
CVE Reference:   CVE-2005-1543   (Links to External Site)
Date:  May 19 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.x, 4.x, 6.5
Description:   A vulnerability was reported in Novell ZENworks Remote Management. A remote user can execute arbitrary code on the target system.

The authentication protocol implementation contains several stack and heap overflows. A remote user can send specially crafted packets to trigger an overflow and potentially execute arbitrary code on the target system.

Several integer values are not properly validated and can overflow. The user-supplied password length in type 1 authentication requests is not properly validated before the user-supplied password is copied into a fixed length buffer. The length of various parameters in type 2 authentication requests are not properly validated.

The flaws reside in 'zenrem32.exe'.

The original advisory is available at:

http://www.rem0te.com/public/images/zen.pdf

Alex Wheeler discovered this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry. The vendor is working on a fix. The vendor's advisory is available at:


http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm

Vendor URL:  support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm (Links to External Site)
Cause:   Boundary error, Input validation error

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 27 2005 (Vendor Issues Fix) Novell ZENworks Remote Management Buffer Overflows in Authentication Protocol Let Remote Users Execute Arbitrary Code
The vendor has issued a fix.



 Source Message Contents

Subject:  [Full-disclosure] NOVELL ZENWORKS MULTIPLE =?utf-8?q?REM=C3=98TE?=


Date
May 18, 2005

Vulnerabilities
Novell ZENworks provides Remote Management capabilities to large networks. In order to manage remote nodes ZENworks implements an
 authentication protocol to verify the requestor is authorized for a transaction. This authentication protocol contains several stack
 and heap overflows that can be triggered by an unauthenticated remote attacker to obtain control of the system that requires authentication.
 These overflows are the result of unchecked copy values, sign misuse, and integer wraps. 

There are several arbitrary heap overflows with no character restrictions that are the result of integer wraps. These integer wraps
 occur because words from the network are sign extended and then incremented. The results of these calculations are passed to new(0).
 Input of -1 to these calculations will result in small memory allocations and negative length receives to overflow the allocated
 memory.

There is an arbitrary stack overflow with no character restrictions in the authentication negotiation for type 1 authentication requests.
 The stack overflow is a result of an unchecked password length used as the copy length for the password to a stack variable only
 0x1C bytes long.

There are several arbitrary stack overflows with no character restrictions in the authentication negotiation for type 2 authentication
 requests. All are the result of unchecked lengths being used to copy arbitrary network data to an argument that is a stack variable
 of the caller. These lengths also contain integer wraps and sign misuse issues.

Impact
Successful exploitation of ZENworks allows attackers unauthorized control of related data and privileges on the machine and network.
 It also provides attackers leverage for further network compromise. Most likely the ZENworks implementation will be vulnerable in
 its default configuration.

Affected Products
All versions of Novell ZENworks are vulnerable. If the authentication negotiation is used in other products, they are also likely
 to be vulnerable. Refer to Novell for specifics.

Advisories:
http://www.rem0te.com/public/images/zen.pdf
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm

Credit
These vulnerabilities were discovered and researched by Alex Wheeler.

Contact
security@rem0te.com 






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC