SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Directory)  >   Novell eDirectory Vendors:   Novell
Novell eDirectory Buffer Overflow in HTTPSTK Login Page Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1023188
SecurityTracker URL:  http://securitytracker.com/id/1023188
CVE Reference:   CVE-2009-4654   (Links to External Site)
Updated:  Mar 2 2010
Original Entry Date:  Nov 17 2009
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 8.8 SP5
Description:   karak0rsan and murderkey from Hellcode Research reported a vulnerability in Novell eDirectory. A remote authenticated user can execute arbitrary code on the target system.

A remote authenticated user can submit specially crafted data to '/dhost/httpstk' to trigger a stack overflow and execute arbitrary code on the target system.

A demonstration exploit is available at:

http://tcc.hellcode.net/sploitz/httpstk.txt

karak0rsan and murderkey from Hellcode Research reported this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.novell.com/ (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  Hellcode Research: Novell eDirectory HTTPSTK Login Stack Overflow Vulnerability

Vendor: Novell

Product: eDirectory for Windows

Version: 8.8 SP5

Vulnerability: Stack Overflow

Description:

Vulnerability is in "/dhost/httpstk"
This vulnerability allows remote attackers to execute arbitrary code
on vulnerable installations of Novell eDirectory. 

The specific flaw exists in the handling of URL parameters 
when posting to the login form of the HTTPSTK web server.
( <FORM method="post" action="/dhost/httpstk;submit"> ) 
Successful exploitation can lead to complete system compromise under the SYSTEM credentials.

Authentication is required to exploit this vulnerability.

Debugger Results:

(ea8.aec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=734c4d90 ecx=035efe24 edx=00000193 esi=035efe24 edi=035efe24
eip=62408f23 esp=035efd20 ebp=035efd6c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Novell\NDS\httpstk.dlm - 
httpstk!HT_RspCCSetNoCache+0x5fb:
62408f23 80b8e500000000  cmp     byte ptr [eax+0E5h],0      ds:0023:41414226=??

0:007> g
(ea8.aec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77569bad esi=00000000 edi=00000000
eip=41414141 esp=035ef950 ebp=035ef970 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
41414141 ??              ???


0:007> !exchain
035ef964: ntdll!RtlRaiseStatus+c8 (77569bad)
035eff34: 41414141
Invalid exception stack at 41414141

Credit to:
karak0rsan and murderkey from Hellcode Research
www.hellcode.net

Proof of Concept:

http://tcc.hellcode.net/sploitz/httpstk.txt

Original Advisory:

http://tcc.hellcode.net/advisories/hellcode-adv005.txt


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC