Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

iXsecurity.20020313.nw6remotemanager.a

From: "Patrik Karlsson" <Patrik.Karlsson () ixsecurity com>
Date: Tue, 2 Apr 2002 10:19:28 +0200
iXsecurity Security Vulnerability Report
No: iXsecurity.20020313.nw6remotemanager.a
==========================================

Vulnerability Summary
---------------------
Problem:                The Netware 6 Remote Manager, which is a
                        web-based interface for managing the
                        server, has a buffer overflow condition.

Threat:                 An attacker could cause the HTTPSTK.NLM
                        or SERVER.NLM to ABEND, or possibly execute
                        arbitrary code.

Affected Software:      Netware 6 Remote Manager.

Platform:               Netware 6 and Netware 6 SP1.

Solution:               Install the patch for Netware 6 Remote
                        manager, whenever Novell decide to publish
                        it, or disable the NLM.

Vulnerability Description
-------------------------
The Netware 6 Remote Manager listens to port 8009 by default and is
to be accessed using a SSL capable webbrowser. The NLM handling this
is the HTTPSTK.NLM. The buffer overflow condition occures when the
basic authentication fields are supplied with a long username or
password. Depending on the length of the username and/or password
supplied, there server will ABEND in either the SERVER.NLM or the
HTTPSTK.NLM. The first condition occurs when the server is trying to
free memory which has been overwritten by the username. Eg. The
server is trying to free 0x00000041, when the buffer has been
filled with 595 'A's. This abend occurs in the SERVER.NLM.
The second condition is within the HTTPSTK.NLM itself and occurs
in a CMP where the EAX register contains 0x41414141. It is triggered
by 626 characters. Supplying even more characters > 1565 the browser
will respond with document contains no data, however the server will
not ABEND. We have not dug deeper in to the conditions to see if they
are exploitable or not.


Additional Information
----------------------
Novell was contacted 20020314, however they decided not to reply.

This vulnerability was found by
Patrik Karlsson & Jonas Ländin
patrik.karlsson () ixsecurity com
jonas.landin () ixsecurity com
Previous By Date Next
Previous By Thread Next

Current thread: