CVE-2011-3175
published 2012-04-09CVE-2011-3175: Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.60%
99.2th percentile
Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute arbitrary code via an opcode 0x6c request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xC4\x54\xF2\xFF\xFF
- →Detect exploit traffic targeting the Novell ZENworks Preboot Service on port 998/TCP with opcode 0x6c (CVE-2011-3175) by inspecting the first 4 bytes of the TCP payload for the big-endian value 0x0000006c ↗
- →The exploit packet structure for opcode 0x6c consists of: 4-byte big-endian opcode, followed by 5 length-prefixed value fields; anomalously large length fields (overflow buffer ~1100+ bytes in the 5th field) should trigger alerts ↗
- →Look for the ROP chain prepend encoder stub bytes 0x81 0xC4 0x54 0xF2 0xFF 0xFF (add esp, -3500) in TCP payloads on port 998 as a shellcode delivery indicator ↗
- →Monitor for connections to port 998/TCP from external/untrusted hosts targeting Novell ZENworks Preboot Service; this service should not be exposed to untrusted networks ↗
- ·The exploit targets ZENworks Configuration Management 10 SP2 and SP3 on Windows Server 2003 SP2; ROP gadget addresses are version-specific and will differ on other builds — detection based on ROP addresses alone is not portable ↗
- ·The exploit interleaves each payload byte with a random byte (my_buf construction), meaning raw byte-sequence signatures of the payload will not match without accounting for this interleaving ↗
- ·NVD describes the trigger opcode as 0x6c, while a related exploit (CVE-2011-3176) uses opcode 0x4c on the same port 998/TCP — ensure detections distinguish between the two opcodes to avoid confusion ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell ZENworks Configuration Management Preboot Service - 0x4c Buffer Overflow (Metasploit)
exploitdb·2012-07-20
CVE-2011-3176 Novell ZENworks Configuration Management Preboot Service - 0x4c Buffer Overflow (Metasploit)
Novell ZENworks Configuration Management Preboot Service - 0x4c Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in the ZENworks Configuration
Management. The vulnerability exists in the Preboot service and can be triggered
by sending a specially crafted packet with the opcode 0x4c
(PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully
tested on Novell ZENworks C
Exploit-DB
Novell ZENworks Configuration Management Preboot Service - 0x6c Buffer Overflow (Metasploit)
exploitdb·2012-07-20
CVE-2011-3176 Novell ZENworks Configuration Management Preboot Service - 0x6c Buffer Overflow (Metasploit)
Novell ZENworks Configuration Management Preboot Service - 0x6c Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in the ZENworks Configuration
Management. The vulnerability exists in the Preboot service and can be triggered by
sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP)
to port 998/TCP. The module has been successfully tested on Novell ZENworks
Config
Metasploit
Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow
metasploit
Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow
Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow
This module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).
No writeups or analysis indexed.
http://download.novell.com/Download?buildid=rs4B5jhWKf8~http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.htmlhttp://www.exploit-db.com/exploits/19958http://www.novell.com/support/viewContent.do?externalId=7010044http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=973http://download.novell.com/Download?buildid=rs4B5jhWKf8~http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.htmlhttp://www.exploit-db.com/exploits/19958http://www.novell.com/support/viewContent.do?externalId=7010044http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=973
2012-04-09
Published