{"cve": [{"lastseen": "2017-08-08T11:24:37", "bulletinFamily": "NVD", "description": "Heap-based buffer overflow in Novell eDirectory 8.7.3 before 8.7.3.10b, and 8.8 before 8.8.2 FTF2, allows remote attackers to execute arbitrary code via an LDAP search request containing \"NULL search parameters.\"", "modified": "2017-08-07T21:30:28", "published": "2008-07-14T14:41:00", "id": "CVE-2008-1809", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1809", "title": "CVE-2008-1809", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:26", "bulletinFamily": "software", "description": "iDefense Security Advisory 07.09.08\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nJul 09, 2008\r\n\r\nI. BACKGROUND\r\n\r\nNovell eDirectory is cross-platform directory server that implements the\r\nLightweight Directory Access Protocol (LDAP). The search request is used\r\nto search a directory tree for objects that match a search filter. For\r\nmore information, see the vendor's site found at the following URL.\r\n\r\nhttp://www.novell.com/products/edirectory/\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a heap buffer overflow vulnerability in Novell\r\nInc.'s eDirectory could allow an attacker to execute arbitrary code\r\nwith the privileges of the affected service.\r\n\r\nThe vulnerability exists due to an incorrect calculation when allocating\r\na heap buffer to store the search parameters. By passing NULL search\r\nparameters, it is possible to overflow a heap based buffer with the\r\nstring "(null)". This can result in the corruption of heap management\r\nstructures, and depending on the layout of the heap, possibly function\r\npointers.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability results in the execution of arbitrary\r\ncode with the privileges of the affected service, usually root. Since\r\nthe data that overflows the buffer is not controlled by the attacker,\r\nexploitation is non-trivial.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability in eDirectory\r\nversion 8.8 SP2 for Linux. Other versions may also be affected.\r\n\r\nV. WORKAROUND\r\n\r\nIt is possible to disable the LDAP service from running via the\r\nndsmodules.conf file which is usually located in\r\n/etc/opt/novell/eDirectory/conf. However, doing so greatly reduces the\r\nfunctionality of this software.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nNovell Inc. has addressed this vulnerability with the release of FTF2\r\nfor eDirectory 8.8 SP2 (8.8.2) and SP10b for eDirectory 8.7.3. For more\r\ninformation visit the following URL.\r\n\r\nhttp://www.novell.com/support/viewContent.do?externalId=3843876\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2008-1809 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org/), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n03/10/2008 Initial vendor notification\r\n03/13/2008 Initial vendor response\r\n07/09/2008 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2008 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "modified": "2008-07-12T00:00:00", "published": "2008-07-12T00:00:00", "id": "SECURITYVULNS:DOC:20152", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:20152", "title": "iDefense Security Advisory 07.09.08: Novell eDirectory LDAP Search Request Heap Corruption Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T21:35:28", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 30175\r\nCVE(CAN) ID: CVE-2008-1809\r\n\r\nNovell eDirectory\u662f\u4e00\u4e2a\u7684\u8de8\u5e73\u53f0\u7684\u76ee\u5f55\u670d\u52a1\u5668\u3002\r\n\r\neDirectory\u7684LDAP\u670d\u52a1\u5728\u5206\u914d\u7528\u4e8e\u5b58\u50a8search\u53c2\u6570\u7684\u5806\u7f13\u51b2\u533a\u65f6\u5b58\u5728\u8ba1\u7b97\u9519\u8bef\uff0c\u5982\u679c\u8fdc\u7a0b\u653b\u51fb\u8005\u5411\u8be5\u670d\u52a1\u4f20\u9001\u4e86\u7a7a\u7684search\u53c2\u6570\u7684\u8bdd\uff0c\u5c31\u53ef\u4ee5\u89e6\u53d1\u5806\u6ea2\u51fa\uff0c\u7834\u574f\u5806\u7ba1\u7406\u7ed3\u6784\u548c\u51fd\u6570\u6307\u9488\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\u6ea2\u51fa\u7f13\u51b2\u533a\u7684\u6570\u636e\u662f\u975e\u53d7\u63a7\u7684\uff0c\u56e0\u6b64\u6210\u529f\u5229\u7528\u6bd4\u8f83\u56f0\u96be\u3002\n\nNovell eDirectory 8.8\r\nNovell eDirectory 8.7.3\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u901a\u8fc7/etc/opt/novell/eDirectory/conf\u7684ndsmodules.conf\u6587\u4ef6\u7981\u7528LDAP\u670d\u52a1\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nNovell\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=http://download.novell.com/ target=_blank>http://download.novell.com/</a>", "modified": "2008-07-12T00:00:00", "published": "2008-07-12T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3596", "id": "SSV:3596", "title": "Novell eDirectory LDAP\u670d\u52a1Search\u53c2\u6570\u5806\u6ea2\u51fa\u6f0f\u6d1e", "type": "seebug", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": ""}], "nessus": [{"lastseen": "2019-02-21T01:11:02", "bulletinFamily": "scanner", "description": "The remote host is running eDirectory, a directory service software from Novell.\n\nThe installed version of eDirectory is affected by an integer overflow issue in ds.dlm / dhost.exe (bound by default to TCP port 524) as well as a heap-based buffer overflow that can be triggered by passing NULL search parameters to the LDAP service. An unauthenticated attacker may be able to leverage either issue to execute code on the remote host with SYSTEM privileges.", "modified": "2018-11-15T00:00:00", "id": "EDIRECTORY_DS_INTEGER_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=33397", "published": "2008-07-07T00:00:00", "title": "Novell eDirectory < 8.8.2 FTF2 / 8.7.3 SP10b Multiple Remote Overflows", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(33397);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2008-1809\", \"CVE-2008-3159\");\n script_bugtraq_id(30085, 30175);\n\n script_name(english:\"Novell eDirectory < 8.8.2 FTF2 / 8.7.3 SP10b Multiple Remote Overflows\");\n script_summary(english:\"Checks version from an ldap search\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote directory service is affected by multiple buffer overflows.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running eDirectory, a directory service software\nfrom Novell.\n\nThe installed version of eDirectory is affected by an integer overflow\nissue in ds.dlm / dhost.exe (bound by default to TCP port 524) as well\nas a heap-based buffer overflow that can be triggered by passing NULL\nsearch parameters to the LDAP service. An unauthenticated attacker\nmay be able to leverage either issue to execute code on the remote\nhost with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-08-041/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2008/Jul/145\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0f5cb3d8\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2008/Jul/146\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microfocus.com/kb/doc.php?id=3694858\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microfocus.com/kb/doc.php?id=3843876\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to eDirectory 8.8.2 FTF2 / 8.7.3 SP10b or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/07/07\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:edirectory\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n script_copyright(english:\"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ldap_search.nasl\");\n script_require_keys(\"Services/ldap\");\n script_require_ports(\"Services/ldap\", 389);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\n\nport = get_kb_item(\"Services/ldap\");\nif (isnull(port)) exit(0);\n\nbanner = get_kb_item(string(\"LDAP/\",port,\"/vendorVersion\"));\nif ( \"Novell eDirectory\" >!< banner ) exit(0);\n\nif (!egrep(pattern:\"^LDAP Agent for Novell eDirectory [0-9]+\\.[0-9]+.* \\([0-9]+\\.[0-9]+\\)$\", string:banner))\n exit(0);\n\nmain = ereg_replace(pattern:\"^LDAP Agent for Novell eDirectory ([0-9]+\\.[0-9]+).* \\([0-9]+\\.[0-9]+\\)$\", string:banner, replace:\"\\1\");\nversion = ereg_replace(pattern:\"^LDAP Agent for Novell eDirectory [0-9]+\\.[0-9]+.* \\(([0-9]+\\.[0-9]+)\\)$\", string:banner, replace:\"\\1\");\n\nversion = split(version, sep:\".\", keep:FALSE);\nbuild = int(version[0]);\nrev = int(version[1]);\n\nif ( ( (\"8.7\" >< main) && ( (build < 10555) || ( build == 10555 && rev < 98 ) ) ) ||\n ( (\"8.8\" >< main) && ( (build < 20216) || ( build == 20216 && rev < 51 ) ) ) )\n{\n if(report_verbosity > 0)\n {\n report = string(\n \"\\n\", banner,\" is installed on the remote host.\\n\"\n );\n security_hole(port:port, extra:report);\n }\t\n else\t\n security_hole(port); \n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
