Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Win95/98 and Novell client DoS

From: mrichich () DREW EDU (Mike Richichi)
Date: Fri, 8 Oct 1999 20:12:32 -0400

Bruce Dennison wrote:


FYI,

Perhaps this has been reported.  I havent seen it.  If it has been
previously reported, sorry.  Consider this a reminder.

Novell client opens port 427 TCP.  My services file reports this port to be
known as 'svrloc'.  You can bluescreen Win95/98 with Novell Client versions
3.0 and 3.0.1 by sending a SYN to this port, as you would with 'nmap -sS -p
427 <target>'.  This is quite fatal.  The only recovery seems to be a power
reset.

I am not the workstation, LAN or Novell person in my shop.  Its not my
problem to deal with even though I found it.  I can not test this any
further.  The only way I have found to stop it is to remove the Novell
Client from my machine.  Can someone confirm this?  Does anyone have any
more or better information on this?



This does not happen in the 3.1 version of the Novell Client, and it's
subsequent service packs (there are 2.)  Anyone using the 3.0.x Novell
clients deserves what they get :-).  Seriously, this apparently has been
fixed, intentionally or not, and the 3.1 client is much more stable in
general than 3.0.x.   The 3.1 client still opens a listener on 427, and
srvloc is the Service Location Protocol that NetWare 5 uses to locate
fileservers and such over IP as opposed to IPX.  I'm pretty sure the
listener goes away if you install the client with IPX only support.  I'm
however not sure how it gets used at all, since the client usually sends
SLP requests from a port > 1024.

--Mike

--------------------
Mike Richichi
Assistant Director of Academic Technology, Drew University
mailto:mrichich () drew edu,  http://www.users.drew.edu/~mrichich/
Previous By Date Next
Previous By Thread Next

Current thread: