Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23487
HistoryMar 31, 2010 - 12:00 a.m.

{PRL} Novell Netware FTP Remote Stack Overflow

2010-03-3100:00:00
vulners.com
15

#####################################################################################

Application: Novell Netware FTP Remote Stack Overflow

Platforms: Novell Netware 6.5 SP8

Exploitation: Remote Code Execution

CVE Number: CVE-2010-0625

Novell TID: 3238588

Discover Date: 2009-07-23

Author: Francis Provencher (Protek Research Lab's)

Blog: http://www.protekresearchlab.com/

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code

#####################################################################################

===============
1) Introduction

Novell, Inc. is a global software and services company based in
Waltham, Massachusetts. The company specializes in enterprise
operating systems, such as SUSE

Linux Enterprise and Novell NetWare; identity, security, and systems
management solutions; and collaboration solutions, such as Novell
Groupwise and Novell

Pulse.

Novell was instrumental in making the Utah Valley a focus for
technology and software development. Novell technology contributed to
the emergence of local

area networks, which displaced the dominant mainframe computing model
and changed computing worldwide. Today, a primary focus of the company
is on developing

open source software for enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Report Timeline

2010-01-25 Vendor Contact
2010-01-26 Vendor repsonse
2010-03-26 Coordinate release of this advisory

#####################################################################################

============================
3) Technical details

It's possible to overflow the stack and rewrite the EIP by sending a
mkdir and a rmdir request with these special caracters "~A/" 320 time.

The nlm version;

NWFTPD.nlm
Netware FTP Server
Version 5.09.03 October 14 2008

The register;

Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error
code 00000000)
Registers:
CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010
EAX = 00000238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 00000001
ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4
EIP = 007E2F41 FLAGS = 00010282
Address (0x007E2F41) exceeds valid memory limit
EIP in UNKNOWN memory area
Access Location: 0x007E2F41

#####################################################################################

===========
4) The Code

This issue can be trigger manually

#####################################################################################
(PRL-2010-03)