{PRL} Novell Netware FTP Remote Stack Overflow

{PRL}

#####################################################################################

Application:   Novell Netware NWFTPD RMD/RNFR/DELE Remote Code Execution

Platforms:   Novell Netware 6.5 SP8

Exploitation:   Remote code execution

CVE Number:

Novell TID:   5071250

ZDI:   ZDI-10-062

{PRL}:   2010-05

Author:   Francis Provencher (Protek Research Lab's)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code

#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in Waltham, Massachusetts.

The company specializes in enterprise operating systems, such as SUSE Linux Enterprise

and Novell NetWare; identity, security, and systems management solutions; and collaboration

solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental in making the Utah

Valley a focus for technology and software development. Novell technology contributed to the

emergence of local area networks, which displaced the dominant mainframe computing model and

change computing worldwide. Today, a primary focus of the company is on developing open source

software for enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Report Timeline
============================

2010-01-25 Vendor Contact
2010-01-26 Vendor repsonse
2010-03-26 Coordinate release of this advisory

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of

Novell Netware NWFTPD daemon. Authentication or default anonymous access is required to exploit

this vulnerability. The specific flaw exists when parsing malformed arguments to the verbs

RMD, RNFR, and DELE. Overly long parameters will result in stack based buffer overflows which can be

leveraged to execute arbitrary code.

#####################################################################################

===========
4) The Code
===========

This issue can be trigger manually

#####################################################################################