Novell eDirectory NCP Stack Buffer Overflow (Feb 8, 2013)


Novell eDirectory is a multi-platform Lightweight Directory Access Protocol (LDAP) server. It is a component of an identity management solution. It utilizes the Novell NetWare Core Protocol (NCP) for communication. NCP manages access to server resources like the file system, printing system and login requests. NCP for the Windows version of eDirectory communicates on port 524 over TCP and UDP.
NCP messages have the following common header structure:

 Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x04              command code 0x0004       0x04              data length  0x0008       0x04              version  0x000C       0x04              buffer size (in reply message) 

The structure of data following the header is shown:

 Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x02              packet type 0x0002       0x01              sequence number 0x0003       0x01              connection number lower byte 0x0004       0x01              task number 0x0005       0x01              connection number higher byte 0x0006       n                 data 

Some packet type values that are commonly seen in normal traffic are:

 Code         Description   ------------ ------------------------------------------------------------------ 0x1111       start connection 0x2222       request 0x3333       reply 0x5555       end connection 0x7777       burst mode message 0x9999       server busy message 

The request and reply messages have the following structure:

 Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x01              function code 0x0001       0x02              subfunction structure length 0x0003       0x01              subfunction code 0x0004       0x08              key 0x000C       0x02              object type 0x000E       0x01              object name length (n) 0x000F       n                 object name 

NCP is used in several eDirectory operations including Novell Directory Service (NDS) and Novell Modular Authentication Service (NMAS). These operations are assigned with unique function and subfunction code values. One NCP request is the keyed object login request. A stack buffer overflow vulnerability has been identified in the processing of this login request. The flaw exists due to a lack of data length verification when copying the value of the object name field into an fixed size stack buffer. The supplied length argument is used as the size parameter given to the copy function without proper boundary checks. An attacker can exploit this vulnerability by sending a crafted message with an overly long object name value and trigger the buffer overflow flaw. This can in turn result in process flow diversion. Any executed code will execute within the privileges of the eDirectory service which is SYSTEM, by default. An exploit attempt that does not result in code execution would terminate the service and cause a denial of service condition.

Dell SonicWALL has released two IPS signatures to address this issue. The following signatures were released:

  • 9546 – Novell NetIQ eDirectory NCP Buffer Overflow 1
  • 9585 – Novell NetIQ eDirectory NCP Buffer Overflow 2

In addition to these new signatures, Dell SonicWALL has existing generic exploit signatures that have been observed to proactively catch exploits targeting this vulnerability.

The vendor has released an advisory addressing this issue.
The vulnerability has been assigned the id CVE-2012-0432 by mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.