#####################################################################################
Application: Novell Netware FTP Remote Stack Overflow
Platforms: Novell Netware 6.5 SP8
Exploitation: Remote Code Execution
CVE Number: CVE-2010-0625
Novell TID: 3238588
Discover Date: 2009-07-23
Author: Francis Provencher (Protek Research Lab's)
Blog: http://www.protekresearchlab.com/
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) The Code
#####################################################################################
Novell, Inc. is a global software and services company based in
Waltham, Massachusetts. The company specializes in enterprise
operating systems, such as SUSE
Linux Enterprise and Novell NetWare; identity, security, and systems
management solutions; and collaboration solutions, such as Novell
Groupwise and Novell
Pulse.
Novell was instrumental in making the Utah Valley a focus for
technology and software development. Novell technology contributed to
the emergence of local
area networks, which displaced the dominant mainframe computing model
and changed computing worldwide. Today, a primary focus of the company
is on developing
open source software for enterprise clients.
(http://en.wikipedia.org/wiki/Novell)
#####################################################################################
2010-01-25 Vendor Contact
2010-01-26 Vendor repsonse
2010-03-26 Coordinate release of this advisory
#####################################################################################
It's possible to overflow the stack and rewrite the EIP by sending a
mkdir and a rmdir request with these special caracters "~A/" 320 time.
The nlm version;
NWFTPD.nlm
Netware FTP Server
Version 5.09.03 October 14 2008
The register;
Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error
code 00000000)
Registers:
CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010
EAX = 00000238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 00000001
ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4
EIP = 007E2F41 FLAGS = 00010282
Address (0x007E2F41) exceeds valid memory limit
EIP in UNKNOWN memory area
Access Location: 0x007E2F41
#####################################################################################
This issue can be trigger manually
#####################################################################################
(PRL-2010-03)