Cluestick Advisory #001
June 27, the year of our Lord 2002
Surreal

"Unauthenticated remote hyper-annoying denial of service
with a side of server reboot, using IManage. Netware 6.0 
and NW6 SP1."

OK, I may possibly ramble a bit, but is that any reason to
SHUN a body?  It's been 30 to 45 days, and I've yet to hear 
a peep from anyone out there in FedUpWithVendorLand.  
It can't be my breath; I'm all, like, minty fresh.

Oh cripes! - I had my chronometer set to "ISS Time".  That's  
approximately "6.21 * DogYears" by your Earth reckoning, or 
"a couple of hours" in the common tongue.  "Live fast, burn
your bridges, make a ton o' cash", that's the life fer me, 
mateys!  But let's just TURN DOWN those gilacopters for a 
moment and take a deep, calming breath.  Here we go.

Before y'all bring it up, I _know_ I was supposedly covering
a Netware 5.1 & 6 "issue".  What am I though, the freakin'
Alexis D. Tokeblaster Thinktank?  Nope; just an annoyed geek 
with poor organizational skills.  Today's offering is a NW6 
DoS cuz I've yet to misplace those notes. You try to cope, 
I'll try to be more perfect next time.

OW, ow, owww - Make Him Stop!  I can just hear it!  Don't 
panic, dude.  Just unload IManage until Novell gets it 
unwedged.  It won't kill you to go "old fashioned" for awhile.  
Novell cares, they won't leave you hangin.  

<< Just in case, one of you $$$-types might wanna pony up the 
$300.00 though, huh?  Hey, I wonder if you get your money back 
if it's not a *new* bug?  Feeling... lucky? >>

OK, for real.  This is *so* lame I was sure that it'd be fixed
in SP1.  (Is Novell hiring away MS Coding Talent?  Inquiring 
minds suspect it) <sigh>  Here goes:

Fire up your World Wide Web Browser <*snort*> and aim it at
IManage.  Enter 256 * 'A' in the username field and anything in 
the remaining fields.  Send it.  This simple DoS will unload 
IManage and yield a pagefault in java.  To wit:
java: Page fault processor exception occurred while executing 
class org.apache.tomcat.startup.Main
The exception occurred while executing code in: JVM.NLM 
(d1dfb000)
The exception occurred while running thread: Java_221 Thread-1 
(CB36C460)
java: Class org.apache.tomcat.startup.Main exited with status -5


Reboot the server and you can play again!  This time we're a 
gonna get us some stack!

Username field, 256*'A' +BBBBBCCCCC etc. gives stack dump of:
44 00 44 00 44 00 45 00 45 00 45 00 45 00 45 00...  Kewl.

Let's try the same lame stunt with "Context": and the stack is 
all, like:
43 00 43 00 43 00 43 00 43 00 44 00 44 00 44 00...

But, golly, can't we stuff things into stack and not get that 
goony Unicode treatment?  Yeah, since you asked so nice:

297*'A'+... stuffed into "tree" and you might tend to see a 
stack like:
49 49 49 49 4A 4A 4A 4A 4A 4B 4B 4B 4B 4B 4C 4C...

"Boooring!"  "Put it out of it's misery!"  

Why not? "context", 600 * 'A'
result:
Abend on P00: Page fault...
Running process: Java_222 Thread-1 Process
Stack: 41 00 41 00 41 00 etc.
(select X to update ABEND log and exit)

That's gotta be enough joy to spread for now.  Greetz to all
the dogs and kitties, wherever they may be, and a shout to 
those RevCo boys and The Reg, and snears to the gready mofos 
at Worldcom.

P.S.  For those who glossed over CS 000, this ignorant crap
will cease when I can send an advisory to Novell and not have
'em say "please bend over first".

Surreal -- cluestick@hushmail.com
Yes, there's more of this stuff in the pipeline.  Sit tight.
//



Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople