NetWare Portmapper Buffer Overflow (Oct 8, 2009)
Netware is a network operating system developed by Novell. It provides file sharing and other services such as printing and email. The Remote Procedure Call (RPC) portmapper is a service that converts RPC program numbers into network addresses and port numbers. When a client wishes to make an RPC call to a given program number, it will first contact portmapper to determine the network address and port number where RPC packets should be sent. The library PKERNEL.NLM provides NetWare with portmapper and RPC functionality.
Portmapper hosts a service, portmap (program number 100000), which can be accessed by a CALLIT RPC message. There exists a stack-based buffer overflow vulnerability in Netware’s portmapper module PKERNEL.NLM. Specifically, the vulnerable function copies Argument Length bytes from a CALLIT RPC message into a fix-sized stack buffer without performing boundary check. An attacker can exploit this vulnerability by sending a malicious CALLIT RPC message with an overly long Argument Length to the affected portmap service. Successful exploitation could lead to remote code execution in the context of the portmap service, normally root. The vulnerability has been assigned as Bugtraq ID 36564. It affects the latest version of Netware — v6.5.0 SP8; other versions may also be affected. SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:- 2068 – Novell NetWare Portmapper BO Attempt
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
