[NT] Novell eDirectory Multiple Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 22 Oct 2006 12:19:16 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Novell eDirectory Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.novell.com/products/edirectory/> Novell eDirectory is a
cross-platform lightweight directory access protocol (LDAP) server. In
addition to LDAP, eDirectory also implements NCP over IP.
Three different vulnerabilities were discovered in Novell's eDirectory
product, remote exploitation of these vulnerabilities could allow an
attacker to execute arbitrary code on the vulnerable system.
DETAILS
Vulnerable Systems:
* Novell eDirectory server version 8.8.1.
* Novell eDirectory server version 8.8
* Earlier versions are suspected to be vulnerable as well.
NCP over IP length Heap Overflow:
This vulnerability specifically exists within the NCP functionality of
eDirectory. A specially crafted packet will cause eDirectory to read a
user specified amount of user supplied data into a static sized heap
buffer. The NCP engine does not verify that the supplied data will fit
inside the allocated heap buffer bounds. As such, a heap buffer overflow
occurs.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4177>
CVE-2006-4177
evtFilteredMonitorEventsRequest Heap Overflow:
This problem stems from an integer overflow that occurs when allocating
memory for attacker supplied data. The evtFilteredMonitorEventsRequest
function takes user input and multiplies it by 16, then adds 16 without
first validating that an integer overflow will not occur. If allocation
succeeds, the function will proceed to loop, filling the memory with
partially controllable input. Since the loop is bounded directly by the
attacker supplied length value, heap overflow will occur.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4509>
CVE-2006-4509
evtFilteredMonitorEventsRequest Invalid Free Vulnerability:
The evtFilteredMonitorEventsRequest function takes an array of objects
that contain an allocated string and two integer values. When an attacker
supplies less objects than is specified by the number of objects to be
sent, an invalid free condition arises. Due to the cleanup loop being
bound by the number supplied within the request rather than the number
actually processed, the free() function will be called on values on the
heap which are outside of the bounds of the allocated array.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4510>
CVE-2006-4510
Successful exploitation of those vulnerabilities could allow an attacker
to crash the server or execute arbitrary code. No credentials are
required. Typically this daemon runs with administrator privileges.
Vendor Status:
Novell has addressed this vulnerability with eDirectory 8.8.1 FTF1.
You can obtain the Linux/Unix version of this update from their site at:
<http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/>
http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/
The windows version of this update is available at:
<http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/>
http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/
Disclosure Timeline:
* 08/16/2006 - Initial vendor notification
* 08/17/2006 - Initial vendor response
* 10/06/2006 - Second vendor notification
* 10/20/2006 - Vendor update released
* 10/21/2006 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article(s) can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=426>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=426
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=427>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=427
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=428>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=428
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Kaspersky Labs Anti-Virus IOCTL Local Privilege Escalation
- Next by Date: [UNIX] dtmail Buffer Overflow
- Previous by thread: [NT] Kaspersky Labs Anti-Virus IOCTL Local Privilege Escalation
- Next by thread: [UNIX] dtmail Buffer Overflow
- Index(es):
Relevant Pages
|
|
