lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 May 2005 11:43:25 -0700
From: <>
To: <>, <>,

Hey is it just me is this vulnerbaility accessible via UDP !

If I'm reading this correctly then it would make an interesting 
worm PoC for these folks:

Feel free to correct me if I have read this advisory wrong


On Wed, 18 May 2005 14:07:53 -0700 wrote:
>May 18, 2005
>Novell ZENworks provides Remote Management capabilities to large 
>networks. In order to manage remote nodes ZENworks implements an 
>authentication protocol to verify the requestor is authorized for 
>a transaction. This authentication protocol contains several stack 

>and heap overflows that can be triggered by an unauthenticated 
>remote attacker to obtain control of the system that requires 
>authentication. These overflows are the result of unchecked copy 
>values, sign misuse, and integer wraps. 
>There are several arbitrary heap overflows with no character 
>restrictions that are the result of integer wraps. These integer 
>wraps occur because words from the network are sign extended and 
>then incremented. The results of these calculations are passed to 
>new(0). Input of -1 to these calculations will result in small 
>memory allocations and negative length receives to overflow the 
>allocated memory.
>There is an arbitrary stack overflow with no character 
>restrictions in the authentication negotiation for type 1 
>authentication requests. The stack overflow is a result of an 
>unchecked password length used as the copy length for the password 

>to a stack variable only 0x1C bytes long.
>There are several arbitrary stack overflows with no character 
>restrictions in the authentication negotiation for type 2 
>authentication requests. All are the result of unchecked lengths 
>being used to copy arbitrary network data to an argument that is a 

>stack variable of the caller. These lengths also contain integer 
>wraps and sign misuse issues.
>Successful exploitation of ZENworks allows attackers unauthorized 
>control of related data and privileges on the machine and network. 

>It also provides attackers leverage for further network 
>compromise. Most likely the ZENworks implementation will be 
>vulnerable in its default configuration.
>Affected Products
>All versions of Novell ZENworks are vulnerable. If the 
>authentication negotiation is used in other products, they are 
>also likely to be vulnerable. Refer to Novell for specifics.
>These vulnerabilities were discovered and researched by Alex 
>Full-Disclosure - We believe in it.
>Hosted and sponsored by Secunia -

Concerned about your privacy? Follow this link to get
secure FREE email:

Free, ultra-private instant messaging with Hush Messenger

Promote security and make money with the Hushmail Affiliate Program:

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists