Vulnerabilities > CVE-2006-6299 - Remote Integer Overflow vulnerability in Novell Zenworks Asset Management 7

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
novell
critical
nessus
NVD
Published: 2006-12-05
Updated: 2017-07-29

Summary

Integer overflow in Msg.dll in Novell ZENworks 7 Asset Management (ZAM) before SP1 IR11 and the Collection client allows remote attackers to execute arbitrary code via crafted packets, which trigger a heap-based buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Novell
1

Nessus

NASL familyGain a shell remotely
NASL idNOVELL_ZENWORKS_ASSET_HEAP.NASL
descriptionThe remote host is running Novell ZENworks Asset (or Inventory) Management, a remote desktop and network management software. The remote version of this software has multiple heap overflow vulnerabilities that may be exploited by an attacker to execute arbitrary code on the remote host with SYSTEM privileges.
last seen2020-06-01
modified2020-06-02
plugin id23787
published2006-12-11
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/23787
titleNovell ZENworks Asset Management Collection Client Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(23787);
 script_version("1.14");

 script_cve_id("CVE-2006-6299");
 script_bugtraq_id(21395, 21400);

 script_name(english:"Novell ZENworks Asset Management Collection Client Remote Overflow");
 
 script_set_attribute(attribute:"synopsis", value:
"Arbitrary code can be executed on the remote host." );
 script_set_attribute(attribute:"description", value:
"The remote host is running Novell ZENworks Asset (or Inventory)
Management, a remote desktop and network management software. 

The remote version of this software has multiple heap overflow
vulnerabilities that may be exploited by an attacker to execute
arbitrary code on the remote host with SYSTEM privileges." );
 script_set_attribute(attribute:"solution", value: "See the vendor advisory for update information.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 # http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_2974824.html
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ff412fd" );

 script_set_attribute(attribute:"plugin_publication_date", value: "2006/12/11");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/12/01");
 script_set_attribute(attribute:"patch_publication_date", value: "2006/11/30");
 script_cvs_date("Date: 2018/07/16 14:09:13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 
 script_summary(english:"Determines if ZENWorks Asset Management is vulnerable to an Heap Overflow");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Gain a shell remotely");
 script_dependencies("novell_asset_management_detect.nasl");
 script_require_ports(7461);
 exit(0);
}

include ("byte_func.inc");

if (!get_kb_item("Novell/AMCC"))
  exit (0);

set_byte_order(BYTE_ORDER_LITTLE_ENDIAN);

port = 7461;

if (!get_tcp_port_state(port))
  exit(0);

soc = open_sock_tcp (port);
if (!soc)
  exit(0);


req = mkbyte (0x00) + crap(data:raw_string(0), length:0x0d) + mkword (0) +
	mkword (0xfe) +
	mkword (0x0) +
	mkdword (0x40001);  # new check on the length (<= 0x40000)

send(socket:soc, data:req);
res = recv (socket:soc, length:4096);


if ("TS.Census module" >< res)
{
  security_hole(port);
}

References