PRL-2011-02

#####################################################################################

Application:   Novell ZenWorks 10 & 11 TFTPD Remote Code Execution Vulnerability

Platforms:   Windows

Exploitation:   Remote code execution

CVE Number:   CVE-2010-4323

Novell TID:   7007896

ZDI number:   ZDI-11-089

{PRL}:   2011-02

Author:   Francis Provencher (Protek Research Lab’s)

WebSite:   http://www.protekresearchlab.com/

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in Waltham, Massachusetts.

The company specializes in enterprise operating systems, such as SUSE Linux Enterprise

and Novell NetWare; identity, security, and systems management solutions;

and collaboration solutions, such as Novell Groupwise and Novell Pulse.

Novell was instrumental in making the Utah Valley a focus for technology and software

development. Novell technology contributed to the emergence of local area networks,

which displaced the dominant mainframe computing model and changed computing worldwide.

Today, a primary focus of the company is on developing open source software for

Enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Report Timeline
============================

2010-08-23 – Vulnerability reported to vendor
2011-02-17 – Coordinated public release of advisory

#####################################################################################

====================
3) Technical details
====================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable

installations of Novell Zenworks Configuration Manager.Authentication is not required

to exploit this vulnerability. The flaw exists within the novell-tftp.exe component which

listens by default on UDP port 69. When handling a request the process blindly copies user

supplied data into a fixed-length buffer on the heap. A remote attacker can exploit this

vulnerability to execute arbitrary code under the context of the ZenWorks user.

#####################################################################################

===========
4) POC
===========

Here

#####################################################################################