lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 19 May 2005 11:43:25 -0700
From: <bart2k@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>,
	<list@...0te.com>
Subject: Re: NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP
	OVERFLOWS


Hey is it just me is this vulnerbaility accessible via UDP !

If I'm reading this correctly then it would make an interesting 
worm PoC for these folks:

http://www.novell.com/servlet/CRS?reference_name=&-
op=%25&Action=Start+Search&Submit=Start+Search&source=novl&full_text
_limit=showcase_verbiage+%2C+press_release&MaxRows=0&product=0&&solu
tions=0& 

Feel free to correct me if I have read this advisory wrong

Thx


On Wed, 18 May 2005 14:07:53 -0700 list@...0te.com wrote:
>Date
>May 18, 2005
>
>Vulnerabilities
>Novell ZENworks provides Remote Management capabilities to large 
>networks. In order to manage remote nodes ZENworks implements an 
>authentication protocol to verify the requestor is authorized for 
>a transaction. This authentication protocol contains several stack 

>and heap overflows that can be triggered by an unauthenticated 
>remote attacker to obtain control of the system that requires 
>authentication. These overflows are the result of unchecked copy 
>values, sign misuse, and integer wraps. 
>
>There are several arbitrary heap overflows with no character 
>restrictions that are the result of integer wraps. These integer 
>wraps occur because words from the network are sign extended and 
>then incremented. The results of these calculations are passed to 
>new(0). Input of -1 to these calculations will result in small 
>memory allocations and negative length receives to overflow the 
>allocated memory.
>
>There is an arbitrary stack overflow with no character 
>restrictions in the authentication negotiation for type 1 
>authentication requests. The stack overflow is a result of an 
>unchecked password length used as the copy length for the password 

>to a stack variable only 0x1C bytes long.
>
>There are several arbitrary stack overflows with no character 
>restrictions in the authentication negotiation for type 2 
>authentication requests. All are the result of unchecked lengths 
>being used to copy arbitrary network data to an argument that is a 

>stack variable of the caller. These lengths also contain integer 
>wraps and sign misuse issues.
>
>Impact
>Successful exploitation of ZENworks allows attackers unauthorized 
>control of related data and privileges on the machine and network. 

>It also provides attackers leverage for further network 
>compromise. Most likely the ZENworks implementation will be 
>vulnerable in its default configuration.
>
>Affected Products
>All versions of Novell ZENworks are vulnerable. If the 
>authentication negotiation is used in other products, they are 
>also likely to be vulnerable. Refer to Novell for specifics.
>
>Advisories:
>http://www.rem0te.com/public/images/zen.pdf
>http://support.novell.com/cgi-
>bin/search/searchtid.cgi?/10097644.htm
>
>Credit
>These vulnerabilities were discovered and researched by Alex 
>Wheeler.
>
>Contact
>security@...0te.com 
>
>
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/



Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists