Novell eDirectory NCP Stack Buffer Overflow (Feb 8, 2013)
Novell eDirectory is a multi-platform Lightweight Directory Access Protocol (LDAP) server. It is a component of an identity management solution. It utilizes the Novell NetWare Core Protocol (NCP) for communication. NCP manages access to server resources like the file system, printing system and login requests. NCP for the Windows version of eDirectory communicates on port 524 over TCP and UDP.
NCP messages have the following common header structure:
Offset Size (bytes) Description ------------ ----------------- ------------------------------------------------------------------ 0x0000 0x04 command code 0x0004 0x04 data length 0x0008 0x04 version 0x000C 0x04 buffer size (in reply message)
The structure of data following the header is shown:
Offset Size (bytes) Description ------------ ----------------- ------------------------------------------------------------------ 0x0000 0x02 packet type 0x0002 0x01 sequence number 0x0003 0x01 connection number lower byte 0x0004 0x01 task number 0x0005 0x01 connection number higher byte 0x0006 n data
Some packet type values that are commonly seen in normal traffic are:
Code Description ------------ ------------------------------------------------------------------ 0x1111 start connection 0x2222 request 0x3333 reply 0x5555 end connection 0x7777 burst mode message 0x9999 server busy message
The request and reply messages have the following structure:
Offset Size (bytes) Description ------------ ----------------- ------------------------------------------------------------------ 0x0000 0x01 function code 0x0001 0x02 subfunction structure length 0x0003 0x01 subfunction code 0x0004 0x08 key 0x000C 0x02 object type 0x000E 0x01 object name length (n) 0x000F n object name
NCP is used in several eDirectory operations including Novell Directory Service (NDS) and Novell Modular Authentication Service (NMAS). These operations are assigned with unique function and subfunction code values. One NCP request is the keyed object login request. A stack buffer overflow vulnerability has been identified in the processing of this login request. The flaw exists due to a lack of data length verification when copying the value of the object name field into an fixed size stack buffer. The supplied length argument is used as the size parameter given to the copy function without proper boundary checks. An attacker can exploit this vulnerability by sending a crafted message with an overly long object name value and trigger the buffer overflow flaw. This can in turn result in process flow diversion. Any executed code will execute within the privileges of the eDirectory service which is SYSTEM, by default. An exploit attempt that does not result in code execution would terminate the service and cause a denial of service condition.
Dell SonicWALL has released two IPS signatures to address this issue. The following signatures were released:
- 9546 – Novell NetIQ eDirectory NCP Buffer Overflow 1
- 9585 – Novell NetIQ eDirectory NCP Buffer Overflow 2
In addition to these new signatures, Dell SonicWALL has existing generic exploit signatures that have been observed to proactively catch exploits targeting this vulnerability.
The vendor has released an advisory addressing this issue. The vulnerability has been assigned the id CVE-2012-0432 by mitre.
