cbcvebase.
CVE-2011-3176
published 2012-04-09

CVE-2011-3176: Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute…

PriorityP276critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.67%
99.3th percentile
Stack-based buffer overflow in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to execute arbitrary code via an opcode 0x4c request.

Affected

2 ranges
VendorProductVersion rangeFixed in
novellzenworks_configuration_management
novellzenworks_configuration_management

Detection & IOCsextracted from sources · hover to see the quote

port998/TCP
commandopcode 0x4c (PROXY_CMD_PREBOOT_TASK_INFO2) packet to port 998/TCP
processnovell-pbserv.exe
filenamezenimgweb.dll
  • Detect exploitation attempts by monitoring for TCP connections to port 998 containing a packet whose first 4 bytes are the big-endian opcode 0x0000004c (PROXY_CMD_PREBOOT_TASK_INFO2), characteristic of CVE-2011-3176 exploit traffic.
  • The exploit interleaves each payload byte with a random byte (every other byte is random filler), producing a distinctive alternating-byte pattern in the oversized 4th field of the opcode 0x4c packet. Network signatures should look for this pattern on port 998/TCP.
  • The exploit prepends a stack-pivot encoder stub (\x81\xC4\x54\xF2\xFF\xFF — 'add esp, -3500') before the payload. Scanning memory or network captures for this byte sequence can identify exploit attempts.
  • Monitor the Novell ZENworks Preboot service process (novell-pbserv.exe) for unexpected child process creation or shellcode execution, as the exploit targets this process with EXITFUNC=process.
  • The ROP chain calls VirtualAlloc() via an IAT pointer in zenimgweb.dll to bypass DEP. Monitoring for VirtualAlloc calls originating from novell-pbserv.exe or zenimgweb.dll at runtime can indicate exploitation.
  • ·The Metasploit module was successfully tested only against ZENworks Configuration Management 10 SP2 and SP3 on Windows Server 2003 SP2; ROP gadget offsets are specific to these versions and the DEP bypass may not apply to other OS/patch combinations.
  • ·The null byte (\x00) is a bad character for the payload encoder, meaning payloads containing null bytes will not be delivered correctly by this exploit module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.