####################################################################### Luigi Auriemma Application: Novell ZENworks Configuration Management http://www.novell.com/products/zenworks/configurationmanagement/ Versions: <= 11.0.0.1992 Platforms: Windows, Linux, NetWare Bug: multiple format string vulnerabilities Exploitation: remote, versus server Date: probably found 20 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ??? ####################################################################### ====== 2) Bug ====== novell-pbserv.exe is a service listening on port 998. The function 004028a0 is used to dump the informations about the PrebootState structure received from the client. The function builds each string correctly using snprintf like snprintf(buffer, size, " PrebootStateInformation.signature ............ %s\n", our_string) but then it passes the obtained string directly to the printf-like logging function 00412490 without passing the needed format argument. That happens with all the strings located in the structure: - "PrebootStateInformation.signature ............" - "Tree ID ................" - "Job ID ................" The function is used for various opcodes like 0x13, 0x46, 0x48, 0x4c, 0x6a and 0x6c. ####################################################################### =========== 3) The Code =========== The provided proof-of-concept tests the function used by opcode 0x13: http://aluigi.org/poc/zenworks_4.dat nc SERVER 998 < zenworks_4.dat ####################################################################### ====== 4) Fix ====== ??? #######################################################################