Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2006-2021 Tenable Network Security, Inc.EDIRECTORY_HOSTNAME_OVERFLOW.NASL
HistoryOct 23, 2006 - 12:00 a.m.

Novell eDirectory iMonitor HTTP Protocol Stack (httpstk) Host HTTP Header Remote Overflow

2006-10-2300:00:00
This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.
www.tenable.com
41

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.956 High

EPSS

Percentile

99.4%

JSON

The installed version of Novell eDirectory on the remote host reportedly contains a buffer overflow that can be triggered with a specially crafted Host request header. An anonymous remote attacker may be able to leverage this flaw to execute code on the affected host, generally with super-user privileges.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(22903);
  script_version("1.28");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2006-5478");
  script_bugtraq_id(20655);
  script_xref(name:"Secunia", value:"22519");

  script_name(english:"Novell eDirectory iMonitor HTTP Protocol Stack (httpstk) Host HTTP Header Remote Overflow");
  script_summary(english:"Send a special Host request header to eDirectory");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote web server is affected by a buffer overflow vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The installed version of Novell eDirectory on the remote host
reportedly contains a buffer overflow that can be triggered with a
specially crafted Host request header.  An anonymous remote attacker
may be able to leverage this flaw to execute code on the affected
host, generally with super-user privileges."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.mnin.org/advisories/2006_novell_httpstk.pdf"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/fulldisclosure/2006/Oct/433"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://download.novell.com/patch/finder/"
  );
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the eDirectory Post 8.7.3.8 FTF1 / 8.8.1 FTF1 patch as
appropriate."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Novell eDirectory NDS Server Host Header Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_publication_date", value: "2006/10/23");
  script_set_attribute(attribute:"patch_publication_date", value: "2006/10/23");
  script_set_attribute(attribute:"vuln_publication_date", value: "2006/10/23");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:edirectory");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_require_ports("Services/www", 8028);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:8028, embedded:TRUE);


# Make sure the server looks like eDirectory.
banner = get_http_banner (port:port);
if (!egrep(pattern:"Server: .*HttpStk/[0-9]+\.[0-9]+", string:banner))
  exit(0, "The web server on port "+port+" is not HttpStk.");


# Get the format of a normal host location

r = http_send_recv3(port:port, method:"GET", exit_on_fail: 1, item:"/nds",
  add_headers: make_array("Host", "nessus"), follow_redirect: 0);

res = egrep(pattern: "^Location: https?://nessus:[0-9]+/nds", string: r[1]);
if (res == NULL)
  exit (0, "Could not find redirection in response from port "+port+".");

# Create a special host location string

v = eregmatch(string: res, pattern:"^Location: (https?://)nessus:([0-9]+)/nds");
if (isnull(v)) exit(1, "Could not parse Location header from port "+port+".");
http = v[1]; sport = v[2];

magic = crap(data:"A", length:62 - strlen(http) - strlen(sport));
r = http_send_recv3(method:"GET", item:"/nds", port:port, exit_on_fail: 1,
  add_headers: make_array("Host", magic), follow_redirect: 0);

res = egrep(pattern:"^Location:", string:r[1]);
if (res == NULL)
  exit (1, "Could not find Location line from port "+port+".");
v = eregmatch(string: res, pattern:"^Location: *(https?://A+:[0-9]+/nds)");
if (isnull(v)) exit(1, "Could not parse Location header from port "+port+".");
s = v[1];
# Patched version should skip 1 character in the port number
if (strlen(s) == 67)
  security_hole(port);
VendorProductVersionCPE
novelledirectorycpe:/a:novell:edirectory

Related

canvas 2
securityvulns 2
zdi 2
packetstorm 1
openvas 1
cvelist 1
saint 4
nvd 1
cve 1
checkpoint_advisories 1
canvas
canvas
Immunity Canvas: EDIRECTORY_HTTP
2006-10-24 16:07:00
Immunity Canvas: NETMAIL
2006-10-24 20:07:00
securityvulns
securityvulns
ZDI-06-036: Novell Netmail User Authentication Buffer Overflow Vulnerability
2006-11-05 00:00:00
ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability
2006-10-30 00:00:00
zdi
zdi
Novell Netmail User Authentication Buffer Overflow Vulnerability
2006-10-31 00:00:00
Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability
2006-10-26 00:00:00
packetstorm
packetstorm
Novell eDirectory NDS Server Host Header Overflow
2009-11-26 00:00:00
openvas
openvas
Novell eDirectory Multiple Stack Based Buffer Overflow Vulnerabilities
2012-10-08 00:00:00
cvelist
cvelist
CVE-2006-5478
2006-10-24 20:00:00
saint
saint
Novell eDirectory iMonitor HTTP redirection buffer overflow
2006-10-26 00:00:00
Novell eDirectory iMonitor HTTP redirection buffer overflow
2006-10-26 00:00:00
Novell eDirectory iMonitor HTTP redirection buffer overflow
2006-10-26 00:00:00
nvd
nvd
CVE-2006-5478
2006-10-24 20:07:00
cve
cve
CVE-2006-5478
2006-10-24 20:07:00
checkpoint_advisories
checkpoint_advisories
Novell eDirectory HTTP Server Redirection Buffer Overflow (CVE-2006-5478)
2009-10-13 00:00:00

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.956 High

EPSS

Percentile

99.4%

JSON
Related for EDIRECTORY_HOSTNAME_OVERFLOW.NASL
canvas2securityvulns2zdi2packetstorm1openvas1cvelist1saint4nvd1cve1checkpoint_advisories1