#####################################################################################

Application:   Novell Netware FTP Remote Stack Overflow

Platforms:   Novell Netware 6.5 SP8

Exploitation:   Remote Code Execution

CVE Number:   CVE-2010-0625

Novell TID:   3238588

Discover Date:   2009-07-23

Author:   Francis Provencher (Protek Research Lab's)

Blog:   http://www.protekresearchlab.com/


#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code


#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in
Waltham, Massachusetts. The company specializes in enterprise
operating systems, such as SUSE

Linux Enterprise and Novell NetWare; identity, security, and systems
management solutions; and collaboration solutions, such as Novell
Groupwise and Novell

Pulse.

Novell was instrumental in making the Utah Valley a focus for
technology and software development. Novell technology contributed to
the emergence of local

area networks, which displaced the dominant mainframe computing model
and changed computing worldwide. Today, a primary focus of the company
is on developing

open source software for enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Report Timeline
============================

2010-01-25 Vendor Contact
2010-01-26 Vendor repsonse
2010-03-26 Coordinate release of this advisory

#####################################################################################

============================
3) Technical details
============================

It's possible to overflow the stack and rewrite the EIP by sending a
mkdir and a rmdir request with these special caracters "~A/" 320 time.


The nlm version;

NWFTPD.nlm
Netware FTP Server
Version 5.09.03 October 14 2008


The register;

Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error
code 00000000)
Registers:
    CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010
    EAX = 00000238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 00000001
    ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4
    EIP = 007E2F41 FLAGS = 00010282
    Address (0x007E2F41) exceeds valid memory limit
    EIP in UNKNOWN memory area
    Access Location: 0x007E2F41

#####################################################################################

===========
4) The Code
===========

This issue can be trigger manually


#####################################################################################
(PRL-2010-03)