####################################################################### Luigi Auriemma Application: Novell ZenWorks Configuration Management http://www.novell.com/products/zenworks/configurationmanagement/ Versions: <= 11.0.0.1992 Platforms: Windows, Linux, NetWare Bug: format string Exploitation: remote, versus server Date: probably found 20 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ??? ####################################################################### ====== 2) Bug ====== novell-pbserv.exe is a service listening on port 998. The function 004025F0 takes an input unicode string, converts it in char and logs it using the printf-like function 00412490 without passing the needed format argument. It's used in various opcodes to display the string provided by the client and so it's exploitable in multiple points. The following is the example for opcode 0x06 (PROXY_CMD_CLEAR_WS): 00409B53 |> 68 90744200 PUSH novell-p.00427490 ; "[PCCWS] DN = " 00409B58 |. E8 33890000 CALL novell-p.00412490 00409B5D |. 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20] 00409B61 |. 52 PUSH EDX ; our unicode string 00409B62 |. E8 898AFFFF CALL novell-p.004025F0 ; vulnerable function The opcodes that use this function are 0x06, 0x13, 0x37, 0x44, 0x4a, 0x4c, 0x6c and maybe others. ####################################################################### =========== 3) The Code =========== The provided proof-of-concepts test the first 4 opcodes listed before: http://aluigi.org/poc/zenworks_1.zip nc SERVER 998 < zenworks_1?.dat ####################################################################### ====== 4) Fix ====== ??? #######################################################################