{PRL} Novell Netware FTP Remote Stack Overflow

{PRL}

#####################################################################################

Application:   Novell Netware FTP Remote Stack Overflow

Platforms:   Novell Netware 6.5 SP8

Exploitation:   Remote code execution

CVE Number:   CVE-2010-0625

ZDI Number:   ZDI-10-062

Novell TID:   3238588

Discover Date:   2009-07-23

Author:   Francis Provencher (Protek Research Lab's)

Blog:   http://www.protekresearchlab.com/

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code

#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in

enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems

management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse.

Novell was instrumental in making the Utah Valley a focus for technology and software development. Novell technology

contributed to the emergence of local area networks, which displaced the dominant mainframe computing model and

change computing worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Report Timeline
============================

2010-01-25 Vendor Contact
2010-01-26 Vendor repsonse
2010-03-26 Coordinate release of this advisory

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of

Novell Netware NWFTPD daemon. Authentication or default anonymous access is required to exploit

this vulnerability. The specific flaw exists when parsing malformed arguments to the verbs

RMD, RNFR, and DELE. Overly long parameters will result in stack based buffer overflows which can be

leveraged to execute arbitrary code.

The nlm version;
NWFTPD.nlm

Netware FTP Server
Version 5.09.03 October 14 2008

The register;

Abend 1 on P00: Server-5.70.08: Page Fault Processor Exception (Error code 00000000)

Registers:
CS = 0008 DS = 0023 ES = 0023 FS = 0023 GS = 0023 SS = 0010
EAX = 00000238 EBX = 7E2F417E ECX = 55AA08D4 EDX = 00000001
ESI = 2F417E2F EDI = 429980C0 EBP = 417E2F41 ESP = A94A9FA4
EIP = 007E2F41 FLAGS = 00010282
Address (0x007E2F41) exceeds valid memory limit
EIP in UNKNOWN memory area
Access Location: 0x007E2F41

The violation occurred while processing the following instruction:

#####################################################################################

===========
4) The Code
===========

This issue can be trigger manually

#####################################################################################
(PRL-2010-03)