Network Security: Detailed info on [NT] Novell eDirectory Multiple Vulnerabilities

Subject:	[NT] Novell eDirectory Multiple Vulnerabilities
Date:	22 Oct 2006 12:19:16 +0200

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Novell eDirectory Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www.novell.com/products/edirectory/> Novell eDirectory is a 
cross-platform lightweight directory access protocol (LDAP) server. In 
addition to LDAP, eDirectory also implements NCP over IP.

Three different vulnerabilities were discovered in Novell's eDirectory 
product, remote exploitation of these vulnerabilities could allow an 
attacker to execute arbitrary code on the vulnerable system.

DETAILS

Vulnerable Systems:
 * Novell eDirectory server version 8.8.1.
 * Novell eDirectory server version 8.8
 * Earlier versions are suspected to be vulnerable as well.

NCP over IP length Heap Overflow:
This vulnerability specifically exists within the NCP functionality of 
eDirectory. A specially crafted packet will cause eDirectory to read a 
user specified amount of user supplied data into a static sized heap 
buffer. The NCP engine does not verify that the supplied data will fit 
inside the allocated heap buffer bounds. As such, a heap buffer overflow 
occurs.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4177> 
CVE-2006-4177

evtFilteredMonitorEventsRequest Heap Overflow:
This problem stems from an integer overflow that occurs when allocating 
memory for attacker supplied data. The evtFilteredMonitorEventsRequest 
function takes user input and multiplies it by 16, then adds 16 without 
first validating that an integer overflow will not occur. If allocation 
succeeds, the function will proceed to loop, filling the memory with 
partially controllable input. Since the loop is bounded directly by the 
attacker supplied length value, heap overflow will occur.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4509> 
CVE-2006-4509

evtFilteredMonitorEventsRequest Invalid Free Vulnerability:
The evtFilteredMonitorEventsRequest function takes an array of objects 
that contain an allocated string and two integer values. When an attacker 
supplies less objects than is specified by the number of objects to be 
sent, an invalid free condition arises. Due to the cleanup loop being 
bound by the number supplied within the request rather than the number 
actually processed, the free() function will be called on values on the 
heap which are outside of the bounds of the allocated array.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4510> 
CVE-2006-4510

Successful exploitation of those vulnerabilities could allow an attacker 
to crash the server or execute arbitrary code. No credentials are 
required. Typically this daemon runs with administrator privileges.

Vendor Status:
Novell has addressed this vulnerability with eDirectory 8.8.1 FTF1.

You can obtain the Linux/Unix version of this update from their site at:
 
<http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/> 
http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/
The windows version of this update is available at:
 
<http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/> 
http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/

Disclosure Timeline:
 * 08/16/2006 - Initial vendor notification
 * 08/17/2006 - Initial vendor response
 * 10/06/2006 - Second vendor notification
 * 10/20/2006 - Vendor update released
 * 10/21/2006 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article(s) can be found at:
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=426> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=426
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=427> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=427
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=428> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=428



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.

<Prev in Thread]	Current Thread	[Next in Thread>
[NT] Novell eDirectory Multiple Vulnerabilities, SecuriTeam <=

Previous by Date:	[NT] Kaspersky Labs Anti-Virus IOCTL Local Privilege Escalation, SecuriTeam
Next by Date:	[UNIX] dtmail Buffer Overflow, SecuriTeam
Previous by Thread:	[NT] Kaspersky Labs Anti-Virus IOCTL Local Privilege Escalation, SecuriTeam
Next by Thread:	[UNIX] dtmail Buffer Overflow, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]