PDF Print E-mail

#####################################################################################

Application:   Novell Netware RPC XNFS xdrDecodeString

Platforms:   Novell Netware 6.5 SP8

Exploitation:   Remote code execution

CVE Number:   CVE-2010-4227

Novell TID:   5088477

ZDI:   ZDI-11-090

{PRL}:   2011-04

Author:   Francis Provencher (Protek Research Lab's)

Website:   http://www.protekresearchlab.com/


#####################################################################################

1) Introduction
2) Timeline
3) Technical details
4) PoC


#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in

enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems

management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse.

Novell was instrumental in making the Utah Valley a focus for technology and software development.

Novell technology contributed to the emergence of local area networks, which displaced the dominant

mainframe computing model and changed computing worldwide. Today, a primary focus of the company

is on developing open source software for enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Timeline
============================

2010-08-25 - Vulnerability reported to vendor
2011-02-18 - Coordinated public release of advisory

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Netware.

Authentication is not required to exploit this vulnerability.The flaw exists within the XNFS.NLM component

which listens by default on UDP port 1234. When handling the an NFS RPC request the xdrDecodeString

function uses a user supplied length value to null terminate a string. This value can be signed allowing the

NULL byte to be written at an arbitrary address. A remote attacker can exploit this vulnerability to execute

arbitrary code under the context of the system.


#####################################################################################

===========
4) The Code
===========

Here


#####################################################################################