Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Wed, 12 May 1999 14:18:59 -0500  
From: Simple Nomad <thegnome@NMRC.ORG>  
Subject: DoS with Netware 4.x's TTS  
Nomad Mobile Research Centre  
A D V I S O R Y  
Simple Nomad []  
Platform : Netware 4.x  
Application : NDS  
Severity : High  
It is possible to overflow the Transaction Tracking System (TTS) built into  
Novell Netware and possibly crash multiple servers.  
Tested configuration  
The testing was done with the following configuration:  
Netware 4.11, Service Pack 5B  
Also confirmed on Netware 4.1. All systems had 64MB RAM and 1 GB drive space.  
Bug(s) report  
The Transaction Tracking System (TTS) is used by Novell Netware to help  
preserve the integrity of data during a system crash. If a transaction is in  
the process of being written to the hard drive when the system crashes, upon  
reboot the partial transaction is backed out preserving the integrity of the  
original data. Administrators can optionally flag a file with the TTS flag  
to add this protection (typically done with databases, especially those that  
have no rollback features).  
TTS by default tracks 10,000 transactions, and each instance uses a small  
amount of memory. If a burst of transactions are sent to the server and the  
available memory is exhausted, TTS will disable. While TTS is disabled, no  
updates can be made to Netware Directory Services. This can impact any program  
or process that updates NDS, such as login. In extreme overrun cases, such as  
very large simultaneous (or near simultaneous, actually) transactions, memory  
will be depleted quick enough to crash the server.  
This is not entirely uncommon, as any large burst of traffic updating NDS  
will cause the problem, such as bringing up a server after several days of  
downtime that has a Directory Services replica on it. Normally this can be  
corrected by increasing RAM or lowering the amount of transactions tracked  
>from the maximum default of 10,000 down to say 5,000 by issuing the command  
SET MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and enabling  
TTS by typing ENABLE TTS at the console.  
However, a malicious user with proper access can force the memory depletion  
and potentially crash a server that has a replica of the NDS database. This  
can lead to multiple near-simultaneous server crashes.  
Of course anyone with administrative access can do this, but they could  
obviously do other acts that could be just as destructive, if not more so.  
What is needed is the ability to create a large number of NDS updates very  
quickly. For example, if a user has the ability to create a container and  
add objects to it, them that user has enough authority to potentially cause  
problems to TTS. Creating a container, dropping a few hundred objects into the  
container via drag-and-drop and then deleting the container should suffice.  
If the server lacks a large amount of free memory, the server will quite  
possibly abend. In other cases, TTS is disabled, which is a form of Denial of  
Service. As the messages are sent across to other servers containing NDS  
replicas, they too may crash. In our test environment we were able to crash  
two servers (Netware 4.1 and Netware 4.11) with a the scenario of creating a  
container, adding a few hundred users, and then deleting the container.  
NMRC has heard reports of as many as a dozen servers crashing within a couple  
of minutes of each other, so apply the latest Service Pack for Netware 4.x on  
all servers or upgrade to Netware 5.  
Novell has already been notified and they are obviously aware of the TTS  
limitations (refer to the May 1997 TID 2908153 at for an example).  
Per Novell the latest patches for Netware 4.x correct the problem, and Netware  
5 does not have the problem at all.  
Thanks to Michel Labelle <> for notifying NMRC about this  
See for more advisories.  
Simple Nomad // // rest for the Wicca'd.... //