Novell Netware Remote Manager Buffer Overlow Lets Remote Users Crash the Manager and Possibly Execute Arbitrary Code
SecurityTracker Alert ID: 1003947|
SecurityTracker URL: http://securitytracker.com/id/1003947
(Links to External Site)
Date: Apr 2 2002
Denial of service via network, Execution of arbitrary code via network|
iXsecurity reported a buffer overflow vulnerability in the Netware 6 Remote Manager. A remote user can cause the server to crash or possibly to execute arbitrary code.|
It is reported that a remote user could cause the HTTPSTK.NLM or SERVER.NLM to ABEND by sending a long username or password to the manager's secure web interface on port 8009 (default configuration). According to the report, it may be possible to execute arbitrary code (the remote user can cause the EAX register to be overwritten with arbitrary data), but this has not been confirmed.
The vendor has reportedly been notified.
A remote user can cause certain services to crash. A remote user may be able to cause arbitrary code to be executed on the system, but this has not been confirmed.|
No solution was available at the time of this entry.|
Vendor URL: www.novell.com/ (Links to External Site)
|Underlying OS Comments: Netware 6, 6 SP1|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
iXsecurity Security Vulnerability Report
Problem: The Netware 6 Remote Manager, which is a
web-based interface for managing the
server, has a buffer overflow condition.
Threat: An attacker could cause the HTTPSTK.NLM
or SERVER.NLM to ABEND, or possibly execute
Affected Software: Netware 6 Remote Manager.
Platform: Netware 6 and Netware 6 SP1.
Solution: Install the patch for Netware 6 Remote
manager, whenever Novell decide to publish
it, or disable the NLM.
The Netware 6 Remote Manager listens to port 8009 by default and is
to be accessed using a SSL capable webbrowser. The NLM handling this
is the HTTPSTK.NLM. The buffer overflow condition occures when the
basic authentication fields are supplied with a long username or
password. Depending on the length of the username and/or password
supplied, there server will ABEND in either the SERVER.NLM or the
HTTPSTK.NLM. The first condition occurs when the server is trying to
free memory which has been overwritten by the username. Eg. The
server is trying to free 0x00000041, when the buffer has been
filled with 595 'A's. This abend occurs in the SERVER.NLM.
The second condition is within the HTTPSTK.NLM itself and occurs
in a CMP where the EAX register contains 0x41414141. It is triggered
by 626 characters. Supplying even more characters > 1565 the browser
will respond with document contains no data, however the server will
not ABEND. We have not dug deeper in to the conditions to see if they
are exploitable or not.
Novell was contacted 20020314, however they decided not to reply.
This vulnerability was found by