SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   NetWare Vendors:   Novell
NetWare FTP Server Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1023768
SecurityTracker URL:  http://securitytracker.com/id/1023768
CVE Reference:   CVE-2010-0625   (Links to External Site)
Updated:  Apr 6 2010
Original Entry Date:  Mar 30 2010
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.5 SP8
Description:   A vulnerability was reported in NetWare's FTP Server. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user, including an anonymous user, can send a specially crafted 'mkdir', 'rmdir', 'rnfr', or 'dele' request to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target service.

The vendor was notified on August 26, 2008 and January 25, 2010.

Francis Provencher (Protek Research Lab's) reported this vulnerability. Nick DeBaggis reported this vulnerability via TippingPoint's Zero Day Initiative.
Impact:   A remote authenticated user, including an anonymous user, can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (NWFTPD.NLM v5.10.01).

The vendor's advisory is available at:

http://www.novell.com/support/viewContent.do?externalId=3238588
Vendor URL:  www.novell.com/support/viewContent.do?externalId=3238588 (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Mon, 29 Mar 2010 10:48:48 -0400
Subject:  {PRL} Novell Netware FTP Remote Stack Overflow

#####################################################################################

Application:   Novell Netware FTP Remote Stack Overflow

Platforms:   Novell Netware 6.5 SP8

Exploitation:   Remote Code Execution

CVE Number:   CVE-2010-0625

Novell TID:   3238588

Discover Date:   2009-07-23

Author:   Francis Provencher (Protek Research Lab's)

Blog:   http://www.protekresearchlab.com/


#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code


#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in
Waltham, Massachusetts. The company specializes in enterprise
operating systems, such as SUSE

Linux Enterprise and Novell NetWare; identity, security, and systems
management solutions; and collaboration solutions, such as Novell
Groupwise and Novell

Pulse.

Novell was instrumental in making the Utah Valley a focus for
technology and software development. Novell technology contributed to
the emergence of local

area networks, which displaced the dominant mainframe computing model
and changed computing worldwide. Today, a primary focus of the company
is on developing

open source software for enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Report Timeline
============================

2010-01-25 Vendor Contact
2010-01-26 Vendor repsonse
2010-03-26 Coordinate release of this advisory

#####################################################################################

============================
3) Technical details
============================

It's possible to overflow the stack and rewrite the EIP by sending a
mkdir and a rmdir request with these special caracters "~A/" 320 time.


The nlm version;

NWFTPD.nlm
Netware FTP Server
Version 5.09.03 October 14 2008


The register;

Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error
code 00000000)
Registers:
    CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010
    EAX = 00000238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 00000001
    ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4
    EIP = 007E2F41 FLAGS = 00010282
    Address (0x007E2F41) exceeds valid memory limit
    EIP in UNKNOWN memory area
    Access Location: 0x007E2F41

#####################################################################################

===========
4) The Code
===========

This issue can be trigger manually


#####################################################################################
(PRL-2010-03)


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC