SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Novell Client Vendors:   Novell
Novell Client Buffer Overflow Lets Physically Local User Execute Arbitrary Code
SecurityTracker Alert ID:  1020020
SecurityTracker URL:  http://securitytracker.com/id/1020020
CVE Reference:   CVE-2008-2145   (Links to External Site)
Date:  May 14 2008
Impact:   Denial of service via local system, Execution of arbitrary code via local system, User access via local system

Version(s): 4.91 SP4 and prior service packs
Description:   A vulnerability was reported in Novell Client. A physically local user can obtain privileges on the target system. A physically local user can cause denial of service conditions.

A physically local user can supply a specially crafted username value, attempt to login, and then click the "forgot password" link to trigger a buffer overflow and execute arbitrary code on the target system.

A physically local user can also supply a specially crafted username value to cause the target system to crash.

Laurent Gaffie reported this vulnerability.

Impact:   A physically local user can obtain privileges on the target system.

A physically local user can cause the target system to crash.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.novell.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Date:  Thu May 08 2008 - 08:13:46 CDT
Subject:  Novell Client <= 4.91 SP4 Local Stack overflow / B.S.O.D (unauthentificated user)

Application: Novell Client <= 4.91 SP4

Web Site: http://www.novell.com/products/clients/

Platform: Windows

Bug: Local Stack overflow / B.S.O.D (unauthentificated user)

Impact: Critical
-------------------------------------------------------

1) Introduction

2) Bug

3) Proof of concept

4) Credits

===========

1) Introduction

===========

"Novell Client™ 4.91 for Windows XP is workstation software that brings an easy-to-use, secure,
and manageable networking environment to Windows XP and Windows 2003 users.
It enables you to access NetWare® services from Windows XP workstations or 2003 Windows servers,
and tightly integrates either product into your NetWare network. For example,
with Novell Client for Windows XP, you can browse through authorized NetWare directories,
transfer files, print documents and use advanced NetWare services directly from a Windows XP workstation or Windows Server 2003."

======

2) Bug

======

There's a funny bug in novell client, a while ago a stack based overflow was present in the username field.
this as been patched, but i guess not properlly.

You have a username field limited to 255 chars, but when you fill up this field , and press login button
it tells you "not loggued in".
If you click on the "forgot passwd" link, it will popup a little windows with your username supplied printed,
stack based overflow occurs here, Allowing code execution .

=====

3)Proof of concept

=====

When you boot the machine,you'll be firstly prompted for your Novell login.
If you fill up username with 254's B ==> click login ==> forgotten password ==> B.S.O.D

If the workstation is allready loggued in:
novell ==> login Novell ==> 254's A ==> click login ==> forgotten password ==> Result:

Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000111 ecx=00000001 edx=00000000 esi=00997980 edi=00997980
eip=73d22054 esp=00dff278 ebp=00dff200 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

MFC42!Ordinal5163+0x492:
73d22054 8908 mov dword ptr [eax],ecx ds:0023:41414141=????????

=================

5)Credits

================

laurent gaffié
laurent.gaffie[at]gmail[dot]com 
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC