| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200505191843.j4JIhTtY026102@mailserver3.hushmail.com> Date: Thu, 19 May 2005 11:43:25 -0700 From: <bart2k@...hmail.com> To: <full-disclosure@...ts.grok.org.uk>, <bugtraq@...urityfocus.com>, <list@...0te.com> Subject: Re: NOVELL ZENWORKS MULTIPLE REMXXTE STACK & HEAP OVERFLOWS Hey is it just me is this vulnerbaility accessible via UDP ! If I'm reading this correctly then it would make an interesting worm PoC for these folks: http://www.novell.com/servlet/CRS?reference_name=&- op=%25&Action=Start+Search&Submit=Start+Search&source=novl&full_text _limit=showcase_verbiage+%2C+press_release&MaxRows=0&product=0&&solu tions=0& Feel free to correct me if I have read this advisory wrong Thx On Wed, 18 May 2005 14:07:53 -0700 list@...0te.com wrote: >Date >May 18, 2005 > >Vulnerabilities >Novell ZENworks provides Remote Management capabilities to large >networks. In order to manage remote nodes ZENworks implements an >authentication protocol to verify the requestor is authorized for >a transaction. This authentication protocol contains several stack >and heap overflows that can be triggered by an unauthenticated >remote attacker to obtain control of the system that requires >authentication. These overflows are the result of unchecked copy >values, sign misuse, and integer wraps. > >There are several arbitrary heap overflows with no character >restrictions that are the result of integer wraps. These integer >wraps occur because words from the network are sign extended and >then incremented. The results of these calculations are passed to >new(0). Input of -1 to these calculations will result in small >memory allocations and negative length receives to overflow the >allocated memory. > >There is an arbitrary stack overflow with no character >restrictions in the authentication negotiation for type 1 >authentication requests. The stack overflow is a result of an >unchecked password length used as the copy length for the password >to a stack variable only 0x1C bytes long. > >There are several arbitrary stack overflows with no character >restrictions in the authentication negotiation for type 2 >authentication requests. All are the result of unchecked lengths >being used to copy arbitrary network data to an argument that is a >stack variable of the caller. These lengths also contain integer >wraps and sign misuse issues. > >Impact >Successful exploitation of ZENworks allows attackers unauthorized >control of related data and privileges on the machine and network. >It also provides attackers leverage for further network >compromise. Most likely the ZENworks implementation will be >vulnerable in its default configuration. > >Affected Products >All versions of Novell ZENworks are vulnerable. If the >authentication negotiation is used in other products, they are >also likely to be vulnerable. Refer to Novell for specifics. > >Advisories: >http://www.rem0te.com/public/images/zen.pdf >http://support.novell.com/cgi- >bin/search/searchtid.cgi?/10097644.htm > >Credit >These vulnerabilities were discovered and researched by Alex >Wheeler. > >Contact >security@...0te.com > > > > > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists