Full Disclosure mailing list archives
Re: ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability
From: "Matt Richard" <matt.richard () gmail com>
Date: Mon, 30 Oct 2006 14:00:58 -0500
Manuel,
the vulnerability details have been submitted by me on June 1, 2006 CST/CDT (June 2, 2006 GMT+1). So I've found the vulnerability before Michael Ligh and Ryan Smith did it.
Please accept my apologies for the insinuation that you may have personally tried to steal another researchers work. As you demonstrated this is clearly not the case.
Anyway, it doesn't matter if the IDS signature got released on, before or after the patch day,
On October 20th details of the vulnerability and a road map to exploit it were publicly released. Every vulnerable version that could not be patched quickly was at risk of remote root. It's difficult to accept that this "doesn't matter" to Novell shops with Tipping Point.
TippingPoint IPS should detect or filter shellcodes and return addresses within the host header without any special IDS signature. For example, you can filter all illegal characters from the host header and convert everything to lowercase characters. Or better: convert the domain name in the host header to a random mixture of lowercase and uppercase characters and redirect this to the destination server, this should f*** up every kind of ASCII shellcode and ASCII return address. ;-)
Your reasoning is very good and would certainly mitigate this vulnerability. The unfortunate part of the problem is that this is not what any of the IPS vendors are doing. In most cases performance trumps security and anything as CPU intensive as your suggestion isn't implemented.
Maybe should you better take some minutes time and think about the fact that we humans aren't perfect and make mistakes, instead of wasting your time with trying to destroy the image of a company. The employees of such companies have to do a lot of work with all the submissions that they receive and I also know other security companies that sometimes broke down because of this and did multiple mistakes during payment and processing.
So we should just hope that they have the time to live up to their promises?
From the ZDI FAQ:
"3Com's goal for the Zero Day Initiative is to provide our customers with the world's best intrusion prevention systems and secure converged networking infrastructure. In order to accomplish our goal, we require access to the best and most timely security intelligence available. " 3Com had access to this data for over 4 months and failed to produce protections until 6 days after someone else released the work. This shows that their process for taking in new vulnerabilities and using them to proactively protect has failed in this case. This may be 1 exception out of hundreds of successes. BTW it is a bit odd that the CVE posting also cites mnin.org http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5478 Cheers, Matt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability zdi-disclosures (Oct 27)
- Re: ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability Matt Richard (Oct 27)
- Re: ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability FistFuXXer (Oct 28)
- Message not available
- Re: ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability Matt Richard (Oct 30)
- Re: ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability Matt Richard (Oct 27)