ID SECURITYVULNS:DOC:8662 Type securityvulns Reporter Securityvulns Modified 2005-05-19T00:00:00
Description
Date
May 18, 2005
Vulnerabilities
Novell ZENworks provides Remote Management capabilities to large networks. In order to manage remote nodes ZENworks implements an authentication protocol to verify the requestor is authorized for a transaction. This authentication protocol contains several stack and heap overflows that can be triggered by an unauthenticated remote attacker to obtain control of the system that requires authentication. These overflows are the result of unchecked copy values, sign misuse, and integer wraps.
There are several arbitrary heap overflows with no character restrictions that are the result of integer wraps. These integer wraps occur because words from the network are sign extended and then incremented. The results of these calculations are passed to new(0). Input of -1 to these calculations will result in small memory allocations and negative length receives to overflow the allocated memory.
There is an arbitrary stack overflow with no character restrictions in the authentication negotiation for type 1 authentication requests. The stack overflow is a result of an unchecked password length used as the copy length for the password to a stack variable only 0x1C bytes long.
There are several arbitrary stack overflows with no character restrictions in the authentication negotiation for type 2 authentication requests. All are the result of unchecked lengths being used to copy arbitrary network data to an argument that is a stack variable of the caller. These lengths also contain integer wraps and sign misuse issues.
Impact
Successful exploitation of ZENworks allows attackers unauthorized control of related data and privileges on the machine and network. It also provides attackers leverage for further network compromise. Most likely the ZENworks implementation will be vulnerable in its default configuration.
Affected Products
All versions of Novell ZENworks are vulnerable. If the authentication negotiation is used in other products, they are also likely to be vulnerable. Refer to Novell for specifics.
Credit
These vulnerabilities were discovered and researched by Alex Wheeler.
Contact
security@rem0te.com
{"id": "SECURITYVULNS:DOC:8662", "bulletinFamily": "software", "title": "NOVELL ZENWORKS MULTIPLE REMOTE STACK & HEAP OVERFLOWS", "description": "Date\r\nMay 18, 2005\r\n\r\nVulnerabilities\r\nNovell ZENworks provides Remote Management capabilities to large networks. In order to manage remote nodes ZENworks implements an authentication protocol to verify the requestor is authorized for a transaction. This authentication protocol contains several stack and heap overflows that can be triggered by an unauthenticated remote attacker to obtain control of the system that requires authentication. These overflows are the result of unchecked copy values, sign misuse, and integer wraps.\r\n\r\nThere are several arbitrary heap overflows with no character restrictions that are the result of integer wraps. These integer wraps occur because words from the network are sign extended and then incremented. The results of these calculations are passed to new(0). Input of -1 to these calculations will result in small memory allocations and negative length receives to overflow the allocated memory.\r\n\r\nThere is an arbitrary stack overflow with no character restrictions in the authentication negotiation for type 1 authentication requests. The stack overflow is a result of an unchecked password length used as the copy length for the password to a stack variable only 0x1C bytes long.\r\n\r\nThere are several arbitrary stack overflows with no character restrictions in the authentication negotiation for type 2 authentication requests. All are the result of unchecked lengths being used to copy arbitrary network data to an argument that is a stack variable of the caller. These lengths also contain integer wraps and sign misuse issues.\r\n\r\nImpact\r\nSuccessful exploitation of ZENworks allows attackers unauthorized control of related data and privileges on the machine and network. It also provides attackers leverage for further network compromise. Most likely the ZENworks implementation will be vulnerable in its default configuration.\r\n\r\nAffected Products\r\nAll versions of Novell ZENworks are vulnerable. If the authentication negotiation is used in other products, they are also likely to be vulnerable. Refer to Novell for specifics.\r\n\r\nAdvisories:\r\nhttp://www.rem0te.com/public/images/zen.pdf\r\nhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm\r\n\r\nCredit\r\nThese vulnerabilities were discovered and researched by Alex Wheeler.\r\n\r\nContact\r\nsecurity@rem0te.com\r\n\r\n\r\n\r\n\r\n\r\n", "published": "2005-05-19T00:00:00", "modified": "2005-05-19T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8662", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:12", "edition": 1, "viewCount": 0, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2018-08-31T11:10:12", "rev": 2}, "dependencies": {"references": [{"type": "mskb", "idList": ["KB4011200"]}, {"type": "apple", "idList": ["APPLE:HT210353", "APPLE:HT210348", "APPLE:HT210351", "APPLE:HT210346"]}, {"type": "cve", "idList": ["CVE-2014-2595", "CVE-2019-8662", "CVE-2015-9286", "CVE-2008-7273", "CVE-2008-7272"]}, {"type": "zdt", "idList": ["1337DAY-ID-33484", "1337DAY-ID-33057"]}, {"type": "exploitdb", "idList": ["EDB-ID:47608", "EDB-ID:47189"]}, {"type": "threatpost", "idList": ["THREATPOST:B84F22695A74E8F253EEEB07BE113A5B"]}, {"type": "thn", "idList": ["THN:41F66983564CEDB5C54CCEB8BE4F793F"]}, {"type": "nessus", "idList": ["MACOS_10_14_6.NASL", "MACOSX_SECUPD2019-004.NASL", "APPLETV_12_4.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815425"]}], "modified": "2018-08-31T11:10:12", "rev": 2}, "vulnersScore": 7.4}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https://ngo[.]edusprit.com/e0ix7dxta.zip** in [RST Threat Feed](https://rstcloud.net/profeed) with score **41**.\n First seen: 2021-02-01T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **malware**.\nIt was found that the IOC is used by: **dridex**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-01T00:00:00", "id": "RST:7B65185B-8662-3656-8D06-31EB8C7E971B", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: https://ngo.edusprit.com/e0ix7dxta.zip", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **47[.]150.182.156** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **generic**.\nASN 5650: (First IP 47.143.160.0, Last IP 47.151.225.255).\nASN Name \"FRONTIERFRTR\" and Organisation \"Frontier Communications of America Inc\".\nASN hosts 25843 domains.\nGEO IP information: City \"Victorville\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:3D22AFD6-1CA5-3938-8662-E67CDEA77DEF", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: 47.150.182.156", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **185[.]247.228.29** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2020-01-02T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **malware**.\nASN 137443: (First IP 185.247.228.0, Last IP 185.247.228.255).\nASN Name \"ANCHGLOBALASAP\" and Organisation \"Anchnet Asia Limited\".\nASN hosts 436948 domains.\nGEO IP information: City \"\", Country \"Hong Kong\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-02T00:00:00", "id": "RST:194ED932-EDE5-3524-8662-1B6C0BC5F4B9", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: 185.247.228.29", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **190[.]186.76.19** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **generic**.\nASN 25620: (First IP 190.186.0.0, Last IP 190.186.189.255).\nASN Name \"COTAS\" and Organisation \"LTDA\".\nASN hosts 611 domains.\nGEO IP information: City \"Santa Cruz\", Country \"Bolivia\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:5654340D-8DBD-3C7F-8662-F77B0C3C301F", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: 190.186.76.19", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **178[.]62.63.15** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-10-26T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14061: (First IP 178.62.10.58, Last IP 178.62.155.78).\nASN Name \"DIGITALOCEANASN\" and Organisation \"DigitalOcean LLC\".\nThis IP is a part of \"**digitalocean**\" address pools.\nASN hosts 3348428 domains.\nGEO IP information: City \"London\", Country \"United Kingdom\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-26T00:00:00", "id": "RST:F116B209-597B-34A2-8662-64AD0E607BD5", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: 178.62.63.15", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **81[.]69.196.156** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **generic**.\nASN 45090: (First IP 81.68.0.0, Last IP 81.71.255.255).\nASN Name \"CNNICTENCENTNETAP\" and Organisation \"Shenzhen Tencent Computer Systems Company Limited\".\nASN hosts 483346 domains.\nGEO IP information: City \"\", Country \"China\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:85D324F5-FAFB-3DCB-8662-52381E25B837", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: 81.69.196.156", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **91[.]143.81.212** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **7**.\n First seen: 2020-08-11T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **tor_node**.\nASN 35366: (First IP 91.143.80.0, Last IP 91.143.95.255).\nASN Name \"ISPPROAS\" and Organisation \"ISPPROAS covers the networks of ISPpro\".\nASN hosts 15023 domains.\nGEO IP information: City \"\", Country \"Germany\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-11T00:00:00", "id": "RST:FE42031C-A801-313A-8662-F70E8638D9EB", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: 91.143.81.212", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **aksigortaileindirimler[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-03-02T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **malware**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-02T00:00:00", "id": "RST:ACC49DE2-8662-3A05-B979-EA482FFB99F0", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: aksigortaileindirimler.tk", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **http://209[.]141.48.55/powerpc** in [RST Threat Feed](https://rstcloud.net/profeed) with score **43**.\n First seen: 2021-02-04T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **malware**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-04T00:00:00", "id": "RST:43A9B905-F8F5-34C6-8662-1EEFD478D486", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: http://209.141.48.55/powerpc", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **extuernkal[.]tk** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-03-02T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:6811A0CB-4DAD-3928-8662-937FA69A2D8B", "href": "", "published": "2021-03-03T00:00:00", "title": "RST Threat feed. IOC: extuernkal.tk", "type": "rst", "cvss": {}}]}
