(Vendor Issues Patch) Re: Novell Netware Remote Manager Buffer Overlow Lets Remote Users Crash the Manager and Possibly Execute Arbitrary Code
SecurityTracker Alert ID: 1004013|
SecurityTracker URL: http://securitytracker.com/id/1004013
(Links to External Site)
Date: Apr 10 2002
Denial of service via network, Execution of arbitrary code via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 5.1, 6|
iXsecurity reported a buffer overflow vulnerability in the Netware 6 Remote Manager. A remote user can cause the server to crash or possibly to execute arbitrary code.|
It is reported that a remote user could cause the HTTPSTK.NLM or SERVER.NLM to ABEND by sending a long username or password to the manager's secure web interface on port 8009 (default configuration). According to the report, it may be possible to execute arbitrary code (the remote user can cause the EAX register to be overwritten with arbitrary data), but this has not been confirmed.
The vendor has reportedly been notified.
A remote user can cause certain services to crash. A remote user may be able to cause arbitrary code to be executed on the system, but this has not been confirmed.|
The vendor has released a fix, available at:|
Novell has provided the following fix information, available at the Vendor URL:
For NetWare 5.1, Novell recommends that customers have Support Pack 3 installed on their servers prior to the installation of this fix.
For NetWare 6, this fix can be applied to a NetWare 6 server either with or without Support Pack 1 installed.
Method #1: Use NWCONFIG.NLM and install the patch automatically.
Method #2: Manually copy the files to the server.
1. Run HTTPSTK1.EXE, unzipping the files into a directory.
2. If the directory where the files were extracted is not located on the server to be updated, copy that directory structure to the server to be updated.
3. Load NWCONFIG.NLM on the server to be updated.
4. On the main menu of NWCONFIG.NLM, select "Product Options". This will display a new menu. On this new menu, select "Install a product not listed" and then press <ENTER>.
5. Follow the on screen prompts to correctly select the location of the directory to where the patch was extracted on the server.
6. Press <F10> to start the file copy procedure.
1. Flag the older version of httpstk.nlm appropriately so that it can be over written with the new version of httpstk.nlm. This file is located on the server's SYS: volume in the system directory.
2. Copy the newer version of httpstk.nlm to the server's SYS:system directory.
3. Flag the file to be RO SH.
After the installation of the file is complete, the new code can either be enabled manually, or automatically. The manual method requires knowledge of the command line switches httpstk.nlm uses on loading. These switches are found in the autoexec.ncf file (in the SYS:system directory). Unload portal.nlm and httpstk.nlm and then reload httpstk.nlm (with the correct switches) and portal.nlm. This will reenable Novell Remote Manager with the new code.
The automatic method of enabling the code is a server reboot. Once the NLM has been copied into the SYS:system directory, the server will automatically use it (if asked to) when booting.
Note that the internal date displayed using the modules list on the server may not match the date of the actual physical file. This behavior is normal and does not indicate a problem.
NetWare 5.1 and NetWare 6 include NetWare Remote Manager by default.
NetWare 5.1 Support Pack 5 will include this new version of httpstk.nlm.
NetWare 6 Support Pack 2 will include this new version of httpstk.nlm.
Vendor URL: support.novell.com/servlet/tidfinder/2962026 (Links to External Site)
|Underlying OS Comments: Netware 5.1, 6, 6 SP1|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: NetWare Remote Manager patches|
Novell has got their official patch for the problem described in:
Novell has named the patch "HTTPSTK Vulnerability Fix" and it is available
Patrik Karlsson, iXsecurity