Netware SMB Remote Stack Overflow PoC

ID 1337DAY-ID-12757
Type zdt
Reporter Laurent Gaffie
Modified 2010-06-17T00:00:00


Exploit for novell platform in category dos / poc

Netware SMB Remote Stack Overflow PoC

Title:           Netware SMB Remote Stack Overflow
Version:         1.0
Issue type:      Stack Overflow
Affected vendor: Novell
Release date:    17/06/2010
Discovered by:   Laurent Gaffi?
Issue status:    Patch available
A vulnerability exists in the Netware CIFS.NLM driver which allows an attacker
to trigger a kernel stack overflow by sending a specific 'Sessions Setup AndX'
query. Successful exploitation of this issue will result in remote code
execution with kernel privileges. Failed attempts may result in a remote denial
of service.
The Server Message Block (SMB) protocol, also known as Common Internet File
System (CIFS) acts as an application-layer protocol to provide shared access
to files, printers and Inter-Process Communication (IPC). It is also a transport
for Distributed Computing Environment / Remote Procedure Call (DCE / RPC)
operations.After negotiating a SMB communication the client sends a
'Session Setup AndX' packet to negotiate a session, to be able to connect on a
specific share. By sending a specially crafted request packet containing a long
'AccountName' value, it is possible trigger a kernel stack overflow.
A remote attacker may be able to remotely execute code with kernel privileges
on affected Netware systems. Failed attempts will result in a denial of service.
Affected products
Netware version 6.5 SP8 and prior.
Proof of concept
import sys,socket
from socket import *
if len(sys.argv)<=1:   
 sys.exit('usage: python IP_ADDR')
host = sys.argv[1],139
payload = "A" * 200
## chained Session Setup Andx, tree connect command, field = username, basic stack overflow.
s = socket(AF_INET, SOCK_STREAM)
print "done !"
Apply NSS update located at:
This patch has not been verified by stratsec.
Response timeline
* 07/02/2010 - Issue discovered.
* 10/02/2010 - Vendor notified.
* 10/02/2010 - Vendor acknowledged receipt of advisory.
* 11/02/2010 - Vendor confirmed issue presence.
* 16/06/2010 - Patch released by vendor.
* 17/06/2010 - stratsec advisory published.
* Vendor advisory:

# [2018-01-09]  #