Lucene search

K
nessusThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.EDIRECTORY_88SP5_PATCH3.NASL
HistoryMar 01, 2010 - 12:00 a.m.

Novell eDirectory < 8.8 SP5 Patch 3 eMBox SOAP Request DoS

2010-03-0100:00:00
This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
www.tenable.com
6

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.03 Low

EPSS

Percentile

91.0%

The remote host is running eDirectory, a directory service software from Novell.

The eMBox service included with the installed version of eDirectory is affected by a denial of service vulnerability.

By sending a specially crafted HTTP SOAP request, it may be possible for a remote attacker to crash the remote service.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(44938);
  script_version("1.11");
  script_cvs_date("Date: 2018/11/15 20:50:23");
  
  script_cve_id("CVE-2010-0666");
  script_bugtraq_id(38157);
  script_xref(name:"Secunia", value:"38491");

  script_name(english:"Novell eDirectory < 8.8 SP5 Patch 3 eMBox SOAP Request DoS");
  script_summary(english:"Checks version of eDirectory from an ldap search");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a denial of service
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running eDirectory, a directory service software
from Novell.

The eMBox service included with the installed version of eDirectory is
affected by a denial of service vulnerability.  

By sending a specially crafted HTTP SOAP request, it may be possible
for a remote attacker to crash the remote service.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-10-024/");
  script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/509814/30/0/threaded");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=548503");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=3426981");
  script_set_attribute(attribute:"solution", value:"Upgrade to eDirectory 8.8 SP5 Patch 3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date"  , value:"2010/02/11");
  script_set_attribute(attribute:"patch_publication_date" , value:"2010/02/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/03/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:edirectory");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
  script_dependencies("ldap_search.nasl", "http_version.nasl");
  script_require_ports("Services/ldap", 389, "Services/www", 8028, 8030);

  exit(0);
}

include("global_settings.inc");
include("http.inc");
include("misc_func.inc");

ldap_port = get_service(svc:"ldap", default:389, exit_on_fail:TRUE);
if (!get_port_state(ldap_port)) exit(0,"Port "+ ldap_port + " is not open.");

edir_ldap = get_kb_item("LDAP/" + ldap_port + "/vendorVersion");
if (isnull(edir_ldap))
  exit(1,"The 'LDAP/"+ldap_port+"/vendorVersion' KB item is missing.");

if("Novell eDirectory" >< edir_ldap)
{
  edir_product = strstr(edir_ldap,"Novell eDirectory");
  edir_product = edir_product - strstr(edir_product , "(");
}
else
  exit(0,"The remote directory service on port " + ldap_port + " does not appear to be from Novell.");

http_port = NULL;
if (report_paranoia < 2)
{
  found = 0;
  ports = add_port_in_list(list:get_kb_list("Services/www"), port:8028);
  ports = add_port_in_list(list:ports, port:8030);

  foreach port (ports)
  {
    banner = get_http_banner (port:port);
    if(!isnull(banner))
    {
      if (egrep(pattern:"Server: .*HttpStk/[0-9]+\.[0-9]+", string:banner))
      {
       # If we are looking at a banner from Novell eDirectory, send a 
       # POST request to see if eMBox service is running.

        postdata = '<?xml version="1.0"?>' + '\n' +
                   '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">'+ '\n' +
                   '<SOAP-ENV:Header/><SOAP-ENV:Body><dispatch><Action>novell.embox.connmgr.serverinfo</Action>' +
                   '<Object/><Parameters/></dispatch></SOAP-ENV:Body></SOAP-ENV:Envelope>' + '\n';

        res = http_send_recv3(method: 'POST', 
                              item:  '/SOAP', 
                              data: postdata, 
                              port: port,
                              add_headers: make_array( 
                                'Content-Type', 'text/xml',
                                'SOAPAction', '"/novell.embox.connmgr.serverinfo"'));

        if (isnull(res))  exit(1, "The web server on port "+port+" failed to respond.");

        # if the service is running, we should see the SOAPAction in response. 
        if("novell.embox.connmgr.serverinfo" >< res[2])
        {
          http_port = port;
          found = 1;
          break;
        }
      }
    }
  }
  if(!found) exit(0, "Novell eDirectory eMBox service is not running on the remote host.");
}
if(isnull(http_port)) http_port = 0;

info = NULL;

# LDAP Agent for Novell eDirectory 8.8 SP5 (20219.14)
# LDAP Agent for Novell eDirectory 8.8 SP5 (20503.09) # patched
 
if ( ereg(pattern:"^LDAP Agent for Novell eDirectory ([0-7]\.|8.[0-7]([^0-9]|$))",string:edir_ldap)  	      ||
     ereg(pattern:"^LDAP Agent for Novell eDirectory 8.8 *SP[1-4] *\(([0-9]+)\.([0-9]+)\)$",string:edir_ldap) ||
     ereg(pattern:"^LDAP Agent for Novell eDirectory 8.8 *\(([0-9]+)\.([0-9]+)\)$",string:edir_ldap)
   )
   info = " " + edir_product + " is installed on the remote host." + '\n';	                

else if (ereg(pattern:"LDAP Agent for Novell eDirectory 8.8 SP5",string:edir_ldap))
{
  build = NULL;
  matches = eregmatch(pattern:"^LDAP Agent for Novell eDirectory 8.8 *SP5 *\(([0-9]+)\.([0-9]+)\)$",string:edir_ldap);
  if(matches)
    build = matches[1];

  if(isnull(build) || int(build) < 20503)
    info = " " + edir_product + " is installed on the remote host." + '\n';
}
else
 exit(1, "Unknown Novell eDirectory version '"+ edir_ldap + "' on port " + ldap_port + ".");

if(!isnull(info))
{
  if (report_verbosity > 0)
  {
    report = '\n' + info ;
    security_warning(port:http_port, extra:report);
  }
  else security_warning(http_port);

  exit(0);
}
else exit(0, edir_product + " is listening on port " + ldap_port + " and is not affected." );
VendorProductVersionCPE
novelledirectorycpe:/a:novell:edirectory

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.03 Low

EPSS

Percentile

91.0%

Related for EDIRECTORY_88SP5_PATCH3.NASL