####################################################################### Luigi Auriemma Application: Novell ZENworks Configuration Management http://www.novell.com/products/zenworks/configurationmanagement/ Versions: <= 11.0.0.1992 Platforms: Windows, Linux, NetWare Bug: multiple format string vulnerabilities Exploitation: remote, versus server Date: probably found 20 Apr 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== ??? ####################################################################### ====== 2) Bug ====== novell-pbserv.exe is a service listening on port 998. The function 00402af0 is used to dump the informations about the Workstation structure received from the client. The function builds each string correctly using snprintf like snprintf(buffer, size, "WorkstationInformation.signature ............ %s\n", our_string) but then it passes the obtained string directly to the printf-like logging function 00412490 without passing the needed format argument. That happens with all the strings located in the structure: - "WorkstationInformation.signature ............" - "WorkstationInformation.Chipset .............." - "WorkstationInformation.Video ................" - "WorkstationInformation.Network .............." - "WorkstationInformation.Soundcard ............" - "WorkstationInformation.Diskcontroller ......." - "WorkstationInformation.BiosAssetTag ........." - "WorkstationInformation.BiosSerialnumber ....." - "WorkstationInformation.BiosVersion .........." - "WorkstationInformation.SystemManufacturer ..." - "WorkstationInformation.ProductName .........." The function is used for the opcodes 0x13, 0x44, 0x46 and 0x6c. ####################################################################### =========== 3) The Code =========== The provided proof-of-concept tests the function used by opcode 0x13: http://aluigi.org/poc/zenworks_2.dat nc SERVER 998 < zenworks_2.dat ####################################################################### ====== 4) Fix ====== ??? #######################################################################