Novell NetIQ eDirectory NCP Buffer Overflow (Jan 23, 2013)


Novell eDirectory is an X.500-compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network. The product is made available for multiple platforms including NetWare, Unix-like systems, and Windows. It supports referential integrity, multi-master replication, and has a modular authentication architecture. The software can be accessed via LDAP, DSML, SOAP, ODBC, JDBC, JNDI, and ADSI.

Novell eDirectory utilizes Novell NetWare Core Protocol (NCP) for network communication. The NetWare Core Protocol (NCP) manages access requirement to the primary NetWare server resources such as the file system and the printing system as well as login requests. NCP is a client/server protocol which uses the underlying Internetwork Packet Exchange Layer Services (IPX), which is obsoleted. More recent version of NCP can also use TCP/IP. NCP over TCP/IP messages has the following common header structure:

 Offset  Size  Description ------- ----- ------------------------------------------------------ 0x0000  4     NCP/IP signature, 'DmdT' for request, 'tNcP' for reply 0x0004  4     NCP/IP Length, including the NCP over IP header 0x0008  4     NCP/IP Version (Request only) 0x000C  4     NCP/IP Reply Buffer Size (Request only) 

A stack-based overflow vulnerability has been identified in the Novell eDirectory server. When processing a NCP request, a stack buffer size was not validated before the user supplied data was copied to the memory. An attacker can exploit this vulnerability to cause a stack overflow which would allows for arbitrary code injection and execution with the privileges of the eDirectory service, by default SYSTEM.

Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attack attempts.

  • 9541 Novell NetIQ eDirectory NCP Buffer Overflow 1
  • 9546 Novell NetIQ eDirectory NCP Buffer Overflow 2

An existing generic shellcode signature is able to detect the attacks addressing this issue too.

  • 4813 Server Application Shellcode Exploit 6

This vulnerability has been referred by CVE as CVE-2012-0432

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.