|
|
|
Credit:
The information has been provided by iDefense.
The original article(s) can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=426
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=427
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=428
|
|
Vulnerable Systems:
* Novell eDirectory server version 8.8.1.
* Novell eDirectory server version 8.8
* Earlier versions are suspected to be vulnerable as well.
NCP over IP length Heap Overflow:
This vulnerability specifically exists within the NCP functionality of eDirectory. A specially crafted packet will cause eDirectory to read a user specified amount of user supplied data into a static sized heap buffer. The NCP engine does not verify that the supplied data will fit inside the allocated heap buffer bounds. As such, a heap buffer overflow occurs.
CVE Information:
CVE-2006-4177
evtFilteredMonitorEventsRequest Heap Overflow:
This problem stems from an integer overflow that occurs when allocating memory for attacker supplied data. The evtFilteredMonitorEventsRequest function takes user input and multiplies it by 16, then adds 16 without first validating that an integer overflow will not occur. If allocation succeeds, the function will proceed to loop, filling the memory with partially controllable input. Since the loop is bounded directly by the attacker supplied length value, heap overflow will occur.
CVE Information:
CVE-2006-4509
evtFilteredMonitorEventsRequest Invalid Free Vulnerability:
The evtFilteredMonitorEventsRequest function takes an array of objects that contain an allocated string and two integer values. When an attacker supplies less objects than is specified by the number of objects to be sent, an invalid free condition arises. Due to the cleanup loop being bound by the number supplied within the request rather than the number actually processed, the free() function will be called on values on the heap which are outside of the bounds of the allocated array.
CVE Information:
CVE-2006-4510
Successful exploitation of those vulnerabilities could allow an attacker to crash the server or execute arbitrary code. No credentials are required. Typically this daemon runs with administrator privileges.
Vendor Status:
Novell has addressed this vulnerability with eDirectory 8.8.1 FTF1.
You can obtain the Linux/Unix version of this update from their site at:
http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.tgz/
The windows version of this update is available at:
http://support.novell.com/servlet/filedownload/sec/pub/edir881ftf_1.exe/
Disclosure Timeline:
* 08/16/2006 - Initial vendor notification
* 08/17/2006 - Initial vendor response
* 10/06/2006 - Second vendor notification
* 10/20/2006 - Vendor update released
* 10/21/2006 - Public disclosure
|
|
|
|