Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Novell BorderManager 3.5 Remote Slow Death
From: knovak () NEOHAPSIS COM (Kevin Novak)
Date: Mon, 21 Feb 2000 14:52:33 -0600

On Fri Feb 11 2000 Puchatek (puchatek () LAMERS PL) wrote:

I've just tested this on NW 5.0 with sp4a and BM 3.5 sp1. Conection to
port 2000 is refused and server doesnt give Short Term MAlloc errors.
IMHO sp4a patched this error...

After playing around with this beast for about a week, this is NOT as
simple as it appears.  We checked out BM 3.5 sp1 and there are still
issues, but we'll get into that.  We wanted to clear a few things up (why
doesn't someone from Novell post about this?!?!?!):

First, our test environment:

NetWare 5.0
NetWare 5.0 SP4a
Novell Border Manager 3.0
Novell Border Manager 3.0 SP 2
CSATPXY2.EXE  **it appears you need this to really put this issue to

We *think* NetWare 5.1 cleans this up - we're testing that now.


Short version: Port 2000 is used by CSATPXY, which as we understand it is
used by the DNS/DHCP management console to view the audit logs.  If you
telnet to port 2000 and/or pump a lot of garbage to it, the server
eventually pukes.  Odd, but whatever...

(An official Novell explanation for what CSATPXY.NLM actually does is
documented in Novell TID# 2953101.  This document explains why the port is
left in a listen state, and explains how to have the NLM listen on another
port, however, all attempts to assign to a different port on my test
server failed; it always resorted to port 2000.)

Ok, so put to put this thing to rest you have to:

-apply NetWare 5.0 SP4a
-apply Border Manager patch (in our case 3.0 SP 2, for 3.5 it's SP 1)
-apply CSATPXY2.EXE (Novell TID 2955744)

-and for those that really want to be safe: go in, blow away the default
filter rule sets (use filtcfg) and blow away any rules allowing external
access to port 2000.  *THIS IS ENABLED BY DEFAULT* IOHO, this is the
safest bet because lord know what other unknown goodies Novell provides
with this CSTPXY thing.

(Dumb question? - Why is this enabled on the outside of the firewall by


Long version:

Tests Performed:

Patches Not Applied

Installed Novell 5.0 with no other products and opened a Telnet session
over port 2000 (for some real fun "telnet 19 | nc <target IP>
2000")  we received the following response:

Where xxx.xxx.xxx.xxx is our Novell Server

[pottedmeat@ foodproducts]$ telnet xxx.xxx.xxx.xxx
Trying xxx.xxx.xxx.xxx...
Unable to connect to remote host: Connection refused.

Installed Border Manager 3.0, filtering all traffic, in and out.  Tested
ping in and out to verify filter, all seemed blocked.  Opened a Telnet
session over port 2000, received the following response:

[pottedmeat@ foodproducts]$ telnet xxx.xxx.xxx.xxx 2000
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

After you have enterred a few lines, the server starts to have problems:

 1-27-2000 9:34:47 am: SERVER-5.0-830 [nmID=2000A] >
 Short Term Memory Allocator is out of Memory.
1 attempts to get more memory failed.

This will continue indefinitely until the server is restarted.  After
about 10 minutes the number of attempts had equated to about 147000000.
This in effect held the server processor utilization at about 58%-60%.
(Pentium Pro 200Mhz with 128MB RAM).

Note:  Non-Default fully restrictive Border Manager filters *WERE* in
place at this time.

Patches Applied

Applied NetWare 5.0 Service Pack 4a and tested with the same results.
Applied Border Manager 3.0 Service Pack 2.0 and tested once again, with
the same results.

These patches brought the CSATPXY.NLM to the following date and time.

CSATPXY.NLM         13869     12-9-1998      5:56:54 am


Per Novell TID 2955744 this issue has been resolved.  This document
contains link to file csatpxy2.exe

"Update to resolve a potential abend issue with CSATPXY.NLM and it's port
2000 listener. This is applicable for BorderManager 3.0, 3.5 and DNS/DHCP
services and runs on NetWare 4.11 through 5.x. This is the CSATPXY.NLM
that was released in NetWare 5.1.

Download this file and follow the instructions below.

Installation Instructions
1. Extract this file to a temporary directory.
2. Rename the CSATPXY.NLM which exists in SYS:SYSTEM.
3. Copy the new CSATPXY.NLM from the temporary directory, to SYS:SYSTEM.
4. Restart the server

If a connection is made to port 2000, where CSATPXY.NLM is listening, and
improper data is entered, CSATPXY may attempt to allocate a large amount
of RAM, eventually causing the server to crash. This version of
CSATPXY.NLM will now only allow 100K to be allocated at a time.
It is also recommended that, if Packet Filtering is running on your
server, you modify the filters to not allow connections to port 2000 on
your public interface. "

Once this file had been patched, we were no longer able to break through
the Border Manager's port filter (the firewall actually did it's job), as
well, if I tried to Telnet to this port from internal (also could be
filtered through firewall) I received the following message:

[pottedmeat@ foodproducts]$ telnet xxx.xxx.xxx.xxx 2000
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.

<typed in a bunch of garbage>

Connection closed by foreign host.

At this time, the server console would report the error as follows:

Invalid Reply Data Length-##########.  Connection closed.

In short, without this Update you are not only exposed internally, but
externally as well.

For completeness, I verified that this file was indeed the same as rolled
out in the NetWare 5.1 distribution, and as stated by Novell it was.

Other Relevent Documents:
DNSDHCP Audit/Event logs will not run.--------TID#2942493
        Relevent if instead of patching the CSATPXY.NLM you unload it!

CSATPXY.NLM abends the server.
        References new CSATPXY.NLM file

Hope this helps,

Kevin Novak

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]