Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.EDIRECTORY_88SP5_PATCH3.NASL
HistoryMar 01, 2010 - 12:00 a.m.

Novell eDirectory < 8.8 SP5 Patch 3 eMBox SOAP Request DoS

2010-03-0100:00:00
This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
www.tenable.com
6

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.03 Low

EPSS

Percentile

91.0%

JSON

The remote host is running eDirectory, a directory service software from Novell.

The eMBox service included with the installed version of eDirectory is affected by a denial of service vulnerability.

By sending a specially crafted HTTP SOAP request, it may be possible for a remote attacker to crash the remote service.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(44938);
  script_version("1.11");
  script_cvs_date("Date: 2018/11/15 20:50:23");
  
  script_cve_id("CVE-2010-0666");
  script_bugtraq_id(38157);
  script_xref(name:"Secunia", value:"38491");

  script_name(english:"Novell eDirectory < 8.8 SP5 Patch 3 eMBox SOAP Request DoS");
  script_summary(english:"Checks version of eDirectory from an ldap search");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a denial of service
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running eDirectory, a directory service software
from Novell.

The eMBox service included with the installed version of eDirectory is
affected by a denial of service vulnerability.  

By sending a specially crafted HTTP SOAP request, it may be possible
for a remote attacker to crash the remote service.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-024/");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/509814/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=548503");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=3426981");
  script_set_attribute(attribute:"solution", value:"Upgrade to eDirectory 8.8 SP5 Patch 3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date"  , value:"2010/02/11");
  script_set_attribute(attribute:"patch_publication_date" , value:"2010/02/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:edirectory");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
  script_dependencies("ldap_search.nasl", "http_version.nasl");
  script_require_ports("Services/ldap", 389, "Services/www", 8028, 8030);

  exit(0);
}

include("global_settings.inc");
include("http.inc");
include("misc_func.inc");

ldap_port = get_service(svc:"ldap", default:389, exit_on_fail:TRUE);
if (!get_port_state(ldap_port)) exit(0,"Port "+ ldap_port + " is not open.");

edir_ldap = get_kb_item("LDAP/" + ldap_port + "/vendorVersion");
if (isnull(edir_ldap))
  exit(1,"The 'LDAP/"+ldap_port+"/vendorVersion' KB item is missing.");

if("Novell eDirectory" >< edir_ldap)
{
  edir_product = strstr(edir_ldap,"Novell eDirectory");
  edir_product = edir_product - strstr(edir_product , "(");
}
else
  exit(0,"The remote directory service on port " + ldap_port + " does not appear to be from Novell.");

http_port = NULL;
if (report_paranoia < 2)
{
  found = 0;
  ports = add_port_in_list(list:get_kb_list("Services/www"), port:8028);
  ports = add_port_in_list(list:ports, port:8030);

  foreach port (ports)
  {
    banner = get_http_banner (port:port);
    if(!isnull(banner))
    {
      if (egrep(pattern:"Server: .*HttpStk/[0-9]+\.[0-9]+", string:banner))
      {
       # If we are looking at a banner from Novell eDirectory, send a 
       # POST request to see if eMBox service is running.

        postdata = '<?xml version="1.0"?>' + '\n' +
                   '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">'+ '\n' +
                   '<SOAP-ENV:Header/><SOAP-ENV:Body><dispatch><Action>novell.embox.connmgr.serverinfo</Action>' +
                   '<Object/><Parameters/></dispatch></SOAP-ENV:Body></SOAP-ENV:Envelope>' + '\n';

        res = http_send_recv3(method: 'POST', 
                              item:  '/SOAP', 
                              data: postdata, 
                              port: port,
                              add_headers: make_array( 
                                'Content-Type', 'text/xml',
                                'SOAPAction', '"/novell.embox.connmgr.serverinfo"'));

        if (isnull(res))  exit(1, "The web server on port "+port+" failed to respond.");

        # if the service is running, we should see the SOAPAction in response. 
        if("novell.embox.connmgr.serverinfo" >< res[2])
        {
          http_port = port;
          found = 1;
          break;
        }
      }
    }
  }
  if(!found) exit(0, "Novell eDirectory eMBox service is not running on the remote host.");
}
if(isnull(http_port)) http_port = 0;

info = NULL;

# LDAP Agent for Novell eDirectory 8.8 SP5 (20219.14)
# LDAP Agent for Novell eDirectory 8.8 SP5 (20503.09) # patched
 
if ( ereg(pattern:"^LDAP Agent for Novell eDirectory ([0-7]\.|8.[0-7]([^0-9]|$))",string:edir_ldap)  	      ||
     ereg(pattern:"^LDAP Agent for Novell eDirectory 8.8 *SP[1-4] *\(([0-9]+)\.([0-9]+)\)$",string:edir_ldap) ||
     ereg(pattern:"^LDAP Agent for Novell eDirectory 8.8 *\(([0-9]+)\.([0-9]+)\)$",string:edir_ldap)
   )
   info = " " + edir_product + " is installed on the remote host." + '\n';	                

else if (ereg(pattern:"LDAP Agent for Novell eDirectory 8.8 SP5",string:edir_ldap))
{
  build = NULL;
  matches = eregmatch(pattern:"^LDAP Agent for Novell eDirectory 8.8 *SP5 *\(([0-9]+)\.([0-9]+)\)$",string:edir_ldap);
  if(matches)
    build = matches[1];

  if(isnull(build) || int(build) < 20503)
    info = " " + edir_product + " is installed on the remote host." + '\n';
}
else
 exit(1, "Unknown Novell eDirectory version '"+ edir_ldap + "' on port " + ldap_port + ".");

if(!isnull(info))
{
  if (report_verbosity > 0)
  {
    report = '\n' + info ;
    security_warning(port:http_port, extra:report);
  }
  else security_warning(http_port);

  exit(0);
}
else exit(0, edir_product + " is listening on port " + ldap_port + " and is not affected." );
VendorProductVersionCPE
novelledirectorycpe:/a:novell:edirectory

Related

openvas 1
zdi 1
cve 1
nvd 1
prion 1
cvelist 1
openvas
openvas
Novell eDirectory eMBox SOAP Request Denial Of Service Vulnerability
2010-02-10 00:00:00
zdi
zdi
Novell eDirectory SOAP Request Parsing Denial of Service Vulnerability
2010-03-02 00:00:00
cve
cve
CVE-2010-0666
2022-10-03 16:21:12
nvd
nvd
CVE-2010-0666
2010-02-19 17:30:01
prion
prion
Design/Logic Flaw
2010-02-19 17:30:00
cvelist
cvelist
CVE-2010-0666
2022-10-03 16:21:12

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.03 Low

EPSS

Percentile

91.0%

JSON
Related for EDIRECTORY_88SP5_PATCH3.NASL
openvas1zdi1cve1nvd1prion1cvelist1