COMMAND
Navision Financials
SYSTEMS AFFECTED
Navision Financials Server v2.50, 2.60
PROBLEM
Following is based on a Defcom Labs Advisory def-2001-17 by Peter
Grundl. The Navision Financials Server contains a flaw that
allows an attacker to crash the service.
Sending a null character followed by approx. 30k of A's to TCP
port 2407 causes a buffer overflow and terminates the process
(SERVER.EXE). The overflow does not appear to be exploitable.
A smaller amount can also be used, and will silently kill the
process. This requires approx. 10 connections starting with a
null character, followed by 100+ characters.
According to David Hayes another reason to limit access to port
2407 on your Navision servers is that the server limits
connections to however many licensed sessions you own, and a
connection with no username/password counts against this limit.
Thus, a simple DoS involves merely firing up the Navision
Financials client numerous times, and doing FILE -> SERVER ->
CONNECT -> YourNavisionServer on each client instance. (Or, if
your shortcut specifies the name of the server in it, you merely
have to accidentally fire off this shortcut several times. This
is what users often do.) This will quickly run you out licenses,
and legitimate users will be locked out with a 'no licenses
available' message.
This DoS works (far too regularly...) on version 2.0 of the AIX
version of Navision Financials. This version is sorta old, and
we don't know if newer versions behave the same.
SOLUTION
Disallow access to TCP port 2407 from untrusted systems, and
contact Navision-Damgaard Support to obtain the patch for this
problem:
http://www.navision.com/com/view.asp?documentID=258
The issue was brought to the vendors attention on the 21st of
December, 2000. A patch was created by the vendor on the 5th of
March, 2001.