Novell Netware FTP 5.07.02 Remote Stack Overflow

2010-04-06 / 2010-04-07
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

######################################################################## ############# Application: Novell Netware FTP Remote Stack Overflow Platforms: Novell Netware 6.5 SP8 Exploitation: Remote Code Execution CVE Number: CVE-2010-0625 Novell TID: 3238588 Discover Date: 2009-07-23 Author: Francis Provencher (Protek Research Lab's) Blog: http://www.protekresearchlab.com/ ######################################################################## ############# 1) Introduction 2) Report Timeline 3) Technical details 4) The Code ######################################################################## ############# =============== 1) Introduction =============== Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental in making the Utah Valley a focus for technology and software development. Novell technology contributed to the emergence of local area networks, which displaced the dominant mainframe computing model and changed computing worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients. (http://en.wikipedia.org/wiki/Novell) ######################################################################## ############# ============================ 2) Report Timeline ============================ 2010-01-25 Vendor Contact 2010-01-26 Vendor repsonse 2010-03-26 Coordinate release of this advisory ######################################################################## ############# ============================ 3) Technical details ============================ It's possible to overflow the stack and rewrite the EIP by sending a mkdir and a rmdir request with these special caracters "~A/" 320 time. The nlm version; NWFTPD.nlm Netware FTP Server Version 5.09.03 October 14 2008 The register; Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error code 00000000) Registers: CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010 EAX = 00000238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 00000001 ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4 EIP = 007E2F41 FLAGS = 00010282 Address (0x007E2F41) exceeds valid memory limit EIP in UNKNOWN memory area Access Location: 0x007E2F41 ######################################################################## ############# =========== 4) The Code =========== This issue can be trigger manually ######################################################################## ############# (PRL-2010-03)

References:

https://bugzilla.novell.com/show_bug.cgi?id=569496
http://www.vupen.com/english/advisories/2010/0742
http://www.securityfocus.com/bid/39041
http://www.securityfocus.com/archive/1/archive/1/510353/100/0/threaded
http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=12&Itemid=12
http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1
http://securitytracker.com/id?1023768
http://secunia.com/advisories/39151


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top