cbcvebase.
CVE-2011-3175
published 2012-04-09

CVE-2011-3175: Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.60%
99.2th percentile
Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute arbitrary code via an opcode 0x6c request.

Affected

2 ranges
VendorProductVersion rangeFixed in
novellzenworks_configuration_management
novellzenworks_configuration_management

Detection & IOCsextracted from sources · hover to see the quote

port998/TCP
commandopcode 0x6c (PROXY_CMD_GET_NEXT_STEP)
commandopcode 0x4c (PROXY_CMD_PREBOOT_TASK_INFO2)
processnovell-pbserv.exe
filenamezenimgweb.dll
bytes
\x81\xC4\x54\xF2\xFF\xFF
  • Detect exploit traffic targeting the Novell ZENworks Preboot Service on port 998/TCP with opcode 0x6c (CVE-2011-3175) by inspecting the first 4 bytes of the TCP payload for the big-endian value 0x0000006c
  • The exploit packet structure for opcode 0x6c consists of: 4-byte big-endian opcode, followed by 5 length-prefixed value fields; anomalously large length fields (overflow buffer ~1100+ bytes in the 5th field) should trigger alerts
  • Look for the ROP chain prepend encoder stub bytes 0x81 0xC4 0x54 0xF2 0xFF 0xFF (add esp, -3500) in TCP payloads on port 998 as a shellcode delivery indicator
  • Monitor for connections to port 998/TCP from external/untrusted hosts targeting Novell ZENworks Preboot Service; this service should not be exposed to untrusted networks
  • ·The exploit targets ZENworks Configuration Management 10 SP2 and SP3 on Windows Server 2003 SP2; ROP gadget addresses are version-specific and will differ on other builds — detection based on ROP addresses alone is not portable
  • ·The exploit interleaves each payload byte with a random byte (my_buf construction), meaning raw byte-sequence signatures of the payload will not match without accounting for this interleaving
  • ·NVD describes the trigger opcode as 0x6c, while a related exploit (CVE-2011-3176) uses opcode 0x4c on the same port 998/TCP — ensure detections distinguish between the two opcodes to avoid confusion
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.