[UNIX] Novell eDirectory LDAP Search Request Heap Corruption Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 10 Jul 2008 21:26:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Novell eDirectory LDAP Search Request Heap Corruption Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.novell.com/products/edirectory/> Novell eDirectory is
"cross-platform directory server that implements the Lightweight Directory
Access Protocol (LDAP). The search request is used to search a directory
tree for objects that match a search filter". Remote exploitation of a
heap buffer overflow vulnerability in Novell Inc.'s eDirectory could allow
an attacker to execute arbitrary code with the privileges of the affected
service.
DETAILS
Vulnerable Systems:
* Novell eDirectory version 8.8 SP2 for Linux
Immune Systems:
* Novell eDirectory version 8.8 SP2 FTF2 (8.8.2)
* Novell eDirectory version 8.7.3 SP10b
The vulnerability exists due to an incorrect calculation when allocating a
heap buffer to store the search parameters. By passing NULL search
parameters, it is possible to overflow a heap based buffer with the string
"(null)". This can result in the corruption of heap management structures,
and depending on the layout of the heap, possibly function pointers.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the affected service, usually root. Since the
data that overflows the buffer is not controlled by the attacker,
exploitation is non-trivial.
Workaround:
It is possible to disable the LDAP service from running via the
ndsmodules.conf file which is usually located in
/etc/opt/novell/eDirectory/conf. However, doing so greatly reduces the
functionality of this software.
Vendor response:
Novell Inc. has addressed this vulnerability with the release of FTF2 for
eDirectory 8.8 SP2 (8.8.2) and SP10b for eDirectory 8.7.3. For more
information visit the following URL.
<http://www.novell.com/support/viewContent.do?externalId=3843876>
http://www.novell.com/support/viewContent.do?externalId=3843876
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1809>
CVE-2008-1809
Disclosure Timeline:
03/10/2008 - Initial vendor notification
03/13/2008 - Initial vendor response
07/09/2008 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=724>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=724
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Vulnerabilities in DNS Allows Spoofing (MS08-037)
- Next by Date: [NEWS] Apple Core Image Fun House BUffer Overflow
- Previous by thread: [NT] Vulnerabilities in DNS Allows Spoofing (MS08-037)
- Next by thread: [NEWS] Apple Core Image Fun House BUffer Overflow
- Index(es):
Relevant Pages
|
|
