exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

novell-stackoverflow.txt

novell-stackoverflow.txt
Posted May 9, 2008
Authored by laurent gaffie

Novell Client versions 4.91 SP4 and below suffer from a local stack overflow vulnerability.

tags | advisory, overflow, local
SHA-256 | 0b94490a39176cad3cbe223bd377faf018f0fa52d93312a7bb2ef9b00caa4e9f

novell-stackoverflow.txt

Change Mirror Download
Application: Novell Client <= 4.91 SP4

Web Site: http://www.novell.com/products/clients/

Platform: Windows

Bug: Local Stack overflow / B.S.O.D (unauthentificated user)

Impact: Critical
-------------------------------------------------------

1) Introduction

2) Bug

3) Proof of concept

4) Credits

===========

1) Introduction

===========

"Novell Client™ 4.91 for Windows XP is workstation software that brings an easy-to-use, secure,
and manageable networking environment to Windows XP and Windows 2003 users.
It enables you to access NetWare® services from Windows XP workstations or 2003 Windows servers,
and tightly integrates either product into your NetWare network. For example,
with Novell Client for Windows XP, you can browse through authorized NetWare directories,
transfer files, print documents and use advanced NetWare services directly from a Windows XP workstation or Windows Server 2003."


======

2) Bug

======

There's a funny bug in novell client, a while ago a stack based overflow was present in the username field.
this as been patched, but i guess not properlly.

You have a username field limited to 255 chars, but when you fill up this field , and press login button
it tells you "not loggued in".
If you click on the "forgot passwd" link, it will popup a little windows with your username supplied printed,
stack based overflow occurs here, Allowing code execution .


=====

3)Proof of concept

=====

When you boot the machine,you'll be firstly prompted for your Novell login.
If you fill up username with 254's B ==> click login ==> forgotten password ==> B.S.O.D

If the workstation is allready loggued in:
novell ==> login Novell ==> 254's A ==> click login ==> forgotten password ==> Result:

Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000111 ecx=00000001 edx=00000000 esi=00997980 edi=00997980
eip=73d22054 esp=00dff278 ebp=00dff200 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

MFC42!Ordinal5163+0x492:
73d22054 8908 mov dword ptr [eax],ecx ds:0023:41414141=????????




=================

5)Credits

================

laurent gaffiƩ
laurent.gaffie[at]gmail[dot]com
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close