Posts

Novell eDirectory NCP Stack Buffer Overflow (Feb 8, 2013)

Novell eDirectory is a multi-platform Lightweight Directory Access Protocol (LDAP) server. It is a component of an identity management solution. It utilizes the Novell NetWare Core Protocol (NCP) for communication. NCP manages access to server resources like the file system, printing system and login requests. NCP for the Windows version of eDirectory communicates on port 524 over TCP and UDP.
NCP messages have the following common header structure:

 Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x04              command code 0x0004       0x04              data length  0x0008       0x04              version  0x000C       0x04              buffer size (in reply message) 

The structure of data following the header is shown:

 Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x02              packet type 0x0002       0x01              sequence number 0x0003       0x01              connection number lower byte 0x0004       0x01              task number 0x0005       0x01              connection number higher byte 0x0006       n                 data 

Some packet type values that are commonly seen in normal traffic are:

 Code         Description   ------------ ------------------------------------------------------------------ 0x1111       start connection 0x2222       request 0x3333       reply 0x5555       end connection 0x7777       burst mode message 0x9999       server busy message 

The request and reply messages have the following structure:

 Offset       Size (bytes)      Description ------------ ----------------- ------------------------------------------------------------------ 0x0000       0x01              function code 0x0001       0x02              subfunction structure length 0x0003       0x01              subfunction code 0x0004       0x08              key 0x000C       0x02              object type 0x000E       0x01              object name length (n) 0x000F       n                 object name 

NCP is used in several eDirectory operations including Novell Directory Service (NDS) and Novell Modular Authentication Service (NMAS). These operations are assigned with unique function and subfunction code values. One NCP request is the keyed object login request. A stack buffer overflow vulnerability has been identified in the processing of this login request. The flaw exists due to a lack of data length verification when copying the value of the object name field into an fixed size stack buffer. The supplied length argument is used as the size parameter given to the copy function without proper boundary checks. An attacker can exploit this vulnerability by sending a crafted message with an overly long object name value and trigger the buffer overflow flaw. This can in turn result in process flow diversion. Any executed code will execute within the privileges of the eDirectory service which is SYSTEM, by default. An exploit attempt that does not result in code execution would terminate the service and cause a denial of service condition.

Dell SonicWALL has released two IPS signatures to address this issue. The following signatures were released:

  • 9546 – Novell NetIQ eDirectory NCP Buffer Overflow 1
  • 9585 – Novell NetIQ eDirectory NCP Buffer Overflow 2

In addition to these new signatures, Dell SonicWALL has existing generic exploit signatures that have been observed to proactively catch exploits targeting this vulnerability.

The vendor has released an advisory addressing this issue.
The vulnerability has been assigned the id CVE-2012-0432 by mitre.

Novell NetIQ eDirectory NCP Buffer Overflow (Jan 23, 2013)

Novell eDirectory is an X.500-compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network. The product is made available for multiple platforms including NetWare, Unix-like systems, and Windows. It supports referential integrity, multi-master replication, and has a modular authentication architecture. The software can be accessed via LDAP, DSML, SOAP, ODBC, JDBC, JNDI, and ADSI.

Novell eDirectory utilizes Novell NetWare Core Protocol (NCP) for network communication. The NetWare Core Protocol (NCP) manages access requirement to the primary NetWare server resources such as the file system and the printing system as well as login requests. NCP is a client/server protocol which uses the underlying Internetwork Packet Exchange Layer Services (IPX), which is obsoleted. More recent version of NCP can also use TCP/IP. NCP over TCP/IP messages has the following common header structure:

 Offset  Size  Description ------- ----- ------------------------------------------------------ 0x0000  4     NCP/IP signature, 'DmdT' for request, 'tNcP' for reply 0x0004  4     NCP/IP Length, including the NCP over IP header 0x0008  4     NCP/IP Version (Request only) 0x000C  4     NCP/IP Reply Buffer Size (Request only) 

A stack-based overflow vulnerability has been identified in the Novell eDirectory server. When processing a NCP request, a stack buffer size was not validated before the user supplied data was copied to the memory. An attacker can exploit this vulnerability to cause a stack overflow which would allows for arbitrary code injection and execution with the privileges of the eDirectory service, by default SYSTEM.

Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attack attempts.

  • 9541 Novell NetIQ eDirectory NCP Buffer Overflow 1
  • 9546 Novell NetIQ eDirectory NCP Buffer Overflow 2

An existing generic shellcode signature is able to detect the attacks addressing this issue too.

  • 4813 Server Application Shellcode Exploit 6

This vulnerability has been referred by CVE as CVE-2012-0432