CVE-2011-3176
published 2012-04-09CVE-2011-3176: Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute…
PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.67%
99.3th percentile
Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute arbitrary code via an opcode 0x4c request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | zenworks_configuration_management | — | — |
| novell | zenworks_configuration_management | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for TCP connections to port 998 containing a packet whose first 4 bytes are the big-endian opcode 0x0000004c (PROXY_CMD_PREBOOT_TASK_INFO2), characteristic of CVE-2011-3176 exploit traffic. ↗
- →The exploit interleaves each payload byte with a random byte (every other byte is random filler), producing a distinctive alternating-byte pattern in the oversized 4th field of the opcode 0x4c packet. Network signatures should look for this pattern on port 998/TCP. ↗
- →The exploit prepends a stack-pivot encoder stub (\x81\xC4\x54\xF2\xFF\xFF — 'add esp, -3500') before the payload. Scanning memory or network captures for this byte sequence can identify exploit attempts. ↗
- →Monitor the Novell ZENworks Preboot service process (novell-pbserv.exe) for unexpected child process creation or shellcode execution, as the exploit targets this process with EXITFUNC=process. ↗
- →The ROP chain calls VirtualAlloc() via an IAT pointer in zenimgweb.dll to bypass DEP. Monitoring for VirtualAlloc calls originating from novell-pbserv.exe or zenimgweb.dll at runtime can indicate exploitation. ↗
- ·The Metasploit module was successfully tested only against ZENworks Configuration Management 10 SP2 and SP3 on Windows Server 2003 SP2; ROP gadget offsets are specific to these versions and the DEP bypass may not apply to other OS/patch combinations. ↗
- ·The null byte (\x00) is a bad character for the payload encoder, meaning payloads containing null bytes will not be delivered correctly by this exploit module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell ZENworks Configuration Management Preboot Service - 0x4c Buffer Overflow (Metasploit)
exploitdb·2012-07-20
CVE-2011-3176 Novell ZENworks Configuration Management Preboot Service - 0x4c Buffer Overflow (Metasploit)
Novell ZENworks Configuration Management Preboot Service - 0x4c Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in the ZENworks Configuration
Management. The vulnerability exists in the Preboot service and can be triggered
by sending a specially crafted packet with the opcode 0x4c
(PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully
tested on Novell ZENworks C
Exploit-DB
Novell ZENworks Configuration Management Preboot Service - 0x6c Buffer Overflow (Metasploit)
exploitdb·2012-07-20
CVE-2011-3176 Novell ZENworks Configuration Management Preboot Service - 0x6c Buffer Overflow (Metasploit)
Novell ZENworks Configuration Management Preboot Service - 0x6c Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Novell ZENworks Configuration Management Preboot Service 0x6c Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in the ZENworks Configuration
Management. The vulnerability exists in the Preboot service and can be triggered by
sending a specially crafted packet with the opcode 0x6c (PROXY_CMD_GET_NEXT_STEP)
to port 998/TCP. The module has been successfully tested on Novell ZENworks
Config
Metasploit
Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow
metasploit
Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow
Novell ZENworks Configuration Management Preboot Service 0x4c Buffer Overflow
This module exploits a remote buffer overflow in the ZENworks Configuration Management. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x4c (PROXY_CMD_PREBOOT_TASK_INFO2) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 / SP3 and Windows Server 2003 SP2 (DEP bypass).
No writeups or analysis indexed.
http://download.novell.com/Download?buildid=rs4B5jhWKf8~http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.htmlhttp://www.exploit-db.com/exploits/19959http://www.novell.com/support/viewContent.do?externalId=7010044http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=974http://download.novell.com/Download?buildid=rs4B5jhWKf8~http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5127930.htmlhttp://www.exploit-db.com/exploits/19959http://www.novell.com/support/viewContent.do?externalId=7010044http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=974
2012-04-09
Published