ID CVE-2010-4299 Type cve Reporter NVD Modified 2017-01-26T15:00:49
Description
Heap-based buffer overflow in ZfHIPCND.exe in Novell Zenworks 7 Handheld Management (ZHM) allows remote attackers to execute arbitrary code via a crafted request to TCP port 2400.
{"nessus": [{"lastseen": "2019-02-21T01:14:07", "bulletinFamily": "scanner", "description": "A vulnerability exists in the server ZfHIPCND.exe, which handles the data received on TCP port 2400. An attacker can overflow a buffer on a heap belonging to the server and possibly execute arbitrary code with SYSTEM privileges. Authentication is not required to exploit this vulnerability.", "modified": "2018-11-15T00:00:00", "id": "NOVELL_ZENWORKS_HANDHELD_MANAGEMENT_ZFHIPCND_BUFFER_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=50679", "published": "2010-11-22T00:00:00", "title": "Novell ZENworks Handheld Management ZfHIPCND.exe Unspecified Buffer Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(50679);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2010-4299\");\n script_bugtraq_id(44700);\n\n script_name(english:\"Novell ZENworks Handheld Management ZfHIPCND.exe Unspecified Buffer Overflow\");\n script_summary(english:\"Checks the BuildDate\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a server that is affected by a remote heap\noverflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A vulnerability exists in the server ZfHIPCND.exe, which handles the\ndata received on TCP port 2400. An attacker can overflow a buffer on a\nheap belonging to the server and possibly execute arbitrary code with\nSYSTEM privileges. Authentication is not required to exploit this\nvulnerability.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-10-230/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eca60455\");\n script_set_attribute(attribute:\"solution\", value:\"Apply patch ZHM_635573_29102010 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:TF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/11/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"smb_enum_services.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\n\nfunction display_dword (dword, nox)\n{\n local_var tmp;\n\n if (isnull(nox) || (nox == FALSE))\n tmp = \"0x\";\n else\n tmp = \"\";\n\n return string (tmp,\n toupper(\n hexstr(\n raw_string(\n (dword >>> 24) & 0xFF,\n (dword >>> 16) & 0xFF,\n (dword >>> 8) & 0xFF,\n dword & 0xFF\n )\n )\n )\n );\n}\n\n# Connect to the appropriate share.\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL,\"IPC$\");\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n audit(AUDIT_REG_FAIL);\n}\n\n\n# Check whether it's installed.\npath = NULL;\n\nkey = \"SOFTWARE\\Novell\\ZENworks\\Handheld Management\\AccessPoint\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"InstallPath\");\n if (!isnull(value))\n {\n path = value[1];\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:path);\n }\n\n RegCloseKey(handle:key_h);\n}\n\nRegCloseKey(handle:hklm);\nif (isnull(path))\n{\n NetUseDel();\n exit(0, \"Novell ZENworks Handheld Management is not installed.\");\n}\n\n\n# Check the version of the main exe.\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\nexe = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\ZfHIPCND.exe\", string:path);\nNetUseDel(close:FALSE);\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n audit(AUDIT_SHARE_FAIL,share);\n}\n\nfh = CreateFile(\n file:exe,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n);\nif (isnull(fh))\n{\n NetUseDel();\n exit(0, \"Failed to open '\"+path+\"\\ZfHIPCND.exe'.\");\n}\n\nset_kb_item(name:\"SMB/ZENworks/ZfHIPCND/Installed\", value:TRUE);\nset_kb_item(name:\"SMB/ZENworks/ZfHIPCND/Path\", value:path);\n\nbd = NULL;\n\nver = GetFileVersion(handle:fh);\nif (isnull(ver)) version = '';\nelse\n{\n version = join(ver, sep:'.');\n set_kb_item(name:\"SMB/ZENworks/ZfHIPCND/Version\", value:version);\n}\n\nret = GetFileVersionEx(handle:fh);\nif (!isnull(ret)) children = ret['Children'];\nif (!isnull(children))\n{\n varfileinfo = children['VarFileInfo'];\n if (!isnull(varfileinfo))\n {\n translation =\n (get_word(blob:varfileinfo['Translation'], pos:0) << 16) +\n get_word(blob:varfileinfo['Translation'], pos:2);\n translation = tolower(display_dword(dword:translation, nox:TRUE));\n }\n stringfileinfo = children['StringFileInfo'];\n if (!isnull(stringfileinfo) && !isnull(translation))\n {\n data = stringfileinfo[translation];\n if (!isnull(data)) bd = data['BuildDate'];\n }\n}\nCloseFile(handle:fh);\nNetUseDel();\n\nif (isnull(bd)) exit(1, \"Failed to get the build date of '\"+(share-'$')+\":\"+exe+\"'.\");\n\nset_kb_item(name:\"SMB/ZENworks/ZfHIPCND/BuildDate\", value:bd);\n\n\n# Check the build date.\npat = \"Build ([0-9][0-9])/([0-9][0-9])/([0-9][0-9])\";\n\nmatch = eregmatch(pattern:pat, string:bd);\nif (!match) exit(1, \"Failed to parse the build date (\"+bd+\").\");\n\nmonth = int(match[1]);\nday = int(match[2]);\nyear = int(match[3]);\n\nif (version) installed_version = version + ' ' + bd;\nelse installed_version = bd;\n\nfixed_version = '7.0.2.01029 Build 10/29/10 16:23';\nfixed_builddate = strstr(fixed_version, 'Build ');\n\nmatch = eregmatch(pattern:pat, string:fixed_builddate);\nif (!match) exit(1, \"Failed to parse the build date (\"+fixed_builddate+\").\");\nfixed_month = int(match[1]);\nfixed_day = int(match[2]);\nfixed_year = int(match[3]);\n\nif (\n year < fixed_year ||\n (\n year == fixed_year &&\n (\n month < fixed_month ||\n (month == fixed_month && day < fixed_day)\n )\n )\n)\n{\n if (report_paranoia < 2)\n {\n status = get_kb_item_or_exit(\"SMB/svc/ZENworks for Handhelds IP Conduit\");\n if (status != SERVICE_ACTIVE)\n exit(0, \"The host is not affected since the Access Point service is not active even though its version is \"+installed_version+\".\");\n }\n\n if (report_verbosity > 0)\n {\n report =\n '\\n File : ' + path + \"\\ZfHIPCND.exe\" +\n '\\n Installed version : ' + installed_version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n}\nelse exit(0, \"The host is not affected since the version of the Access Point process is \"+installed_version+\".\");\n\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-12-06T13:44:09", "bulletinFamily": "scanner", "description": "This host is installed with Novell ZENworks Handheld Management\n and is prone to buffer overflow vulnerability.", "modified": "2018-12-05T00:00:00", "published": "2010-11-30T00:00:00", "id": "OPENVAS:1361412562310801645", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801645", "title": "Novell ZENworks Handheld Management 'ZfHIPCND.exe' Buffer Overflow Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_novell_zhm_bof_vuln.nasl 12674 2018-12-05 15:13:45Z cfischer $\n#\n# Novell ZENworks Handheld Management 'ZfHIPCND.exe' Buffer Overflow Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801645\");\n script_version(\"$Revision: 12674 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-05 16:13:45 +0100 (Wed, 05 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-30 12:42:12 +0100 (Tue, 30 Nov 2010)\");\n script_bugtraq_id(44700);\n script_cve_id(\"CVE-2010-4299\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Novell ZENworks Handheld Management 'ZfHIPCND.exe' Buffer Overflow Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/42130\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id?1024691\");\n script_xref(name:\"URL\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-10-230/\");\n script_xref(name:\"URL\", value:\"http://www.novell.com/support/viewContent.do?externalId=7007135\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_novell_zhm_detect.nasl\");\n script_mandatory_keys(\"Novell/ZHM/Ver\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute arbitrary\n code with SYSTEM privileges or cause denial of service.\");\n\n script_tag(name:\"affected\", value:\"Novell ZENworks Handheld Management 7\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within module 'ZfHIPCND.exe', which allows remote attackers\n to execute arbitrary code via a crafted request to TCP port 2400.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Novell ZENworks Handheld Management\n and is prone to buffer overflow vulnerability.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch, available via the referenced links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://download.novell.com/Download?buildid=Sln2Lkqslmk~\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nzhmVer = get_kb_item(\"Novell/ZHM/Ver\");\n\nif(zhmVer)\n{\n if(version_in_range(version:zhmVer, test_version:\"7.0\", test_version2:\"7.0.2.61213\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:09:56", "bulletinFamily": "scanner", "description": "This host is installed with Novell ZENworks Handheld Management\n and is prone to buffer overflow vulnerability.", "modified": "2017-02-17T00:00:00", "published": "2010-11-30T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=801645", "id": "OPENVAS:801645", "title": "Novell ZENworks Handheld Management 'ZfHIPCND.exe' Buffer Overflow Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_novell_zhm_bof_vuln.nasl 5323 2017-02-17 08:49:23Z teissa $\n#\n# Novell ZENworks Handheld Management 'ZfHIPCND.exe' Buffer Overflow Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"Apply the patch, available from below link,\n http://download.novell.com/Download?buildid=Sln2Lkqslmk~\n\n *****\n NOTE: Ignore this warning, if above mentioned patch is manually applied.\n *****\";\n\ntag_impact = \"Successful exploitation could allow remote attackers to execute arbitrary\n code with SYSTEM privileges or cause denial of service.\n Impact Level: Application/System\";\ntag_affected = \"Novell ZENworks Handheld Management 7\";\ntag_insight = \"The flaw exists within module 'ZfHIPCND.exe', which allows remote attackers\n to execute arbitrary code via a crafted request to TCP port 2400.\";\ntag_summary = \"This host is installed with Novell ZENworks Handheld Management\n and is prone to buffer overflow vulnerability.\";\n\nif(description)\n{\n script_id(801645);\n script_version(\"$Revision: 5323 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-17 09:49:23 +0100 (Fri, 17 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-11-30 12:42:12 +0100 (Tue, 30 Nov 2010)\");\n script_bugtraq_id(44700);\n script_cve_id(\"CVE-2010-4299\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Novell ZENworks Handheld Management 'ZfHIPCND.exe' Buffer Overflow Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/42130\");\n script_xref(name : \"URL\" , value : \"http://www.securitytracker.com/id?1024691\");\n script_xref(name : \"URL\" , value : \"http://www.zerodayinitiative.com/advisories/ZDI-10-230/\");\n script_xref(name : \"URL\" , value : \"http://www.novell.com/support/viewContent.do?externalId=7007135\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_novell_zhm_detect.nasl\");\n script_require_keys(\"Novell/ZHM/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Get version from KB\nzhmVer = get_kb_item(\"Novell/ZHM/Ver\");\n\nif(zhmVer)\n{\n ##Grep for Novell ZENworks Handheld Management 7\n if(version_in_range(version:zhmVer, test_version:\"7.0\", test_version2:\"7.0.2.61213\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
