Novell eDirectory is a cross-platform lightweight directory access protocol (LDAP) server. In addition to LDAP, eDirectory also implements NCP over IP.
Three different vulnerabilities were discovered in Novell's eDirectory product, remote exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the vulnerable system.
Vulnerable Systems:
* Novell eDirectory server version 8.8.1.
* Novell eDirectory server version 8.8
* Earlier versions are suspected to be vulnerable as well.
NCP over IP length Heap Overflow:
This vulnerability specifically exists within the NCP functionality of eDirectory. A specially crafted packet will cause eDirectory to read a user specified amount of user supplied data into a static sized heap buffer. The NCP engine does not verify that the supplied data will fit inside the allocated heap buffer bounds. As such, a heap buffer overflow occurs.
evtFilteredMonitorEventsRequest Heap Overflow:
This problem stems from an integer overflow that occurs when allocating memory for attacker supplied data. The evtFilteredMonitorEventsRequest function takes user input and multiplies it by 16, then adds 16 without first validating that an integer overflow will not occur. If allocation succeeds, the function will proceed to loop, filling the memory with partially controllable input. Since the loop is bounded directly by the attacker supplied length value, heap overflow will occur.
evtFilteredMonitorEventsRequest Invalid Free Vulnerability:
The evtFilteredMonitorEventsRequest function takes an array of objects that contain an allocated string and two integer values. When an attacker supplies less objects than is specified by the number of objects to be sent, an invalid free condition arises. Due to the cleanup loop being bound by the number supplied within the request rather than the number actually processed, the free() function will be called on values on the heap which are outside of the bounds of the allocated array.
Successful exploitation of those vulnerabilities could allow an attacker to crash the server or execute arbitrary code. No credentials are required. Typically this daemon runs with administrator privileges.
Vendor Status:
Novell has addressed this vulnerability with eDirectory 8.8.1 FTF1.
