Cluestick Advisory #001 June 27, the year of our Lord 2002 Surreal "Unauthenticated remote hyper-annoying denial of service with a side of server reboot, using IManage. Netware 6.0 and NW6 SP1." OK, I may possibly ramble a bit, but is that any reason to SHUN a body? It's been 30 to 45 days, and I've yet to hear a peep from anyone out there in FedUpWithVendorLand. It can't be my breath; I'm all, like, minty fresh. Oh cripes! - I had my chronometer set to "ISS Time". That's approximately "6.21 * DogYears" by your Earth reckoning, or "a couple of hours" in the common tongue. "Live fast, burn your bridges, make a ton o' cash", that's the life fer me, mateys! But let's just TURN DOWN those gilacopters for a moment and take a deep, calming breath. Here we go. Before y'all bring it up, I _know_ I was supposedly covering a Netware 5.1 & 6 "issue". What am I though, the freakin' Alexis D. Tokeblaster Thinktank? Nope; just an annoyed geek with poor organizational skills. Today's offering is a NW6 DoS cuz I've yet to misplace those notes. You try to cope, I'll try to be more perfect next time. OW, ow, owww - Make Him Stop! I can just hear it! Don't panic, dude. Just unload IManage until Novell gets it unwedged. It won't kill you to go "old fashioned" for awhile. Novell cares, they won't leave you hangin. << Just in case, one of you $$$-types might wanna pony up the $300.00 though, huh? Hey, I wonder if you get your money back if it's not a *new* bug? Feeling... lucky? >> OK, for real. This is *so* lame I was sure that it'd be fixed in SP1. (Is Novell hiring away MS Coding Talent? Inquiring minds suspect it) <sigh> Here goes: Fire up your World Wide Web Browser <*snort*> and aim it at IManage. Enter 256 * 'A' in the username field and anything in the remaining fields. Send it. This simple DoS will unload IManage and yield a pagefault in java. To wit: java: Page fault processor exception occurred while executing class org.apache.tomcat.startup.Main The exception occurred while executing code in: JVM.NLM (d1dfb000) The exception occurred while running thread: Java_221 Thread-1 (CB36C460) java: Class org.apache.tomcat.startup.Main exited with status -5 Reboot the server and you can play again! This time we're a gonna get us some stack! Username field, 256*'A' +BBBBBCCCCC etc. gives stack dump of: 44 00 44 00 44 00 45 00 45 00 45 00 45 00 45 00... Kewl. Let's try the same lame stunt with "Context": and the stack is all, like: 43 00 43 00 43 00 43 00 43 00 44 00 44 00 44 00... But, golly, can't we stuff things into stack and not get that goony Unicode treatment? Yeah, since you asked so nice: 297*'A'+... stuffed into "tree" and you might tend to see a stack like: 49 49 49 49 4A 4A 4A 4A 4A 4B 4B 4B 4B 4B 4C 4C... "Boooring!" "Put it out of it's misery!" Why not? "context", 600 * 'A' result: Abend on P00: Page fault... Running process: Java_222 Thread-1 Process Stack: 41 00 41 00 41 00 etc. (select X to update ABEND log and exit) That's gotta be enough joy to spread for now. Greetz to all the dogs and kitties, wherever they may be, and a shout to those RevCo boys and The Reg, and snears to the gready mofos at Worldcom. P.S. For those who glossed over CS 000, this ignorant crap will cease when I can send an advisory to Novell and not have 'em say "please bend over first". Surreal -- cluestickat_private Yes, there's more of this stuff in the pipeline. Sit tight. // Communicate in total privacy. Get your free encrypted email at https://www.hushmail.com/?l=2 Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 21:16:08 PDT