Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Networks :: bx3100.htm

Novell Client <= 4.91 SP4 Local Stack overflow / B.S.O.D (unauthentificated user)



Novell Client <= 4.91 SP4 Local Stack overflow / B.S.O.D (unauthentificated user)
Novell Client <= 4.91 SP4 Local Stack overflow / B.S.O.D (unauthentificated user)



Application: Novell Client <= 4.91 SP4=0D
=0D
Web Site: http://www.novell.com/products/clients/=0D 
=0D
Platform: Windows=0D
=0D
Bug: Local Stack overflow / B.S.O.D (unauthentificated user)=0D
=0D
Impact: Critical=0D
-------------------------------------------------------=0D
=0D
1) Introduction=0D
=0D
2) Bug=0D
=0D
3) Proof of concept=0D
=0D
4) Credits=0D
=0D
============0D
=0D
1) Introduction=0D
=0D
============0D
=0D
"Novell Client=99 4.91 for Windows XP is workstation software that brings an easy-to-use, secure,=0D
and manageable networking environment to Windows XP and Windows 2003 users.=0D
It enables you to access NetWare=AE services from Windows XP workstations or 2003 Windows servers,=0D
and tightly integrates either product into your NetWare network. For example,=0D
with Novell Client for Windows XP, you can browse through authorized NetWare directories,=0D
transfer files, print documents and use advanced NetWare services directly from a Windows XP workstation or Windows Server 2003."=0D
=0D
=0D
=======0D
=0D
2) Bug=0D
=0D
=======0D
=0D
There's a funny bug in novell client, a while ago a stack based overflow was present in the username field.=0D
this as been patched, but i guess not properlly.=0D
=0D
You have a username field limited to 255 chars, but when you fill up this field , and press login button=0D
it tells you "not loggued in".=0D
If you click on the "forgot passwd" link, it will popup a little windows with your username supplied printed,=0D
stack based overflow occurs here, Allowing code execution .=0D
=0D
=0D
======0D
=0D
3)Proof of concept=0D
=0D
======0D
=0D
When you boot the machine,you'll be firstly prompted for your Novell login.=0D
If you fill up username with 254's B ==> click login ==> forgotten password ==> B.S.O.D=0D
=0D
If the workstation is allready loggued in:=0D
novell ==> login Novell ==> 254's A ==> click login ==> forgotten password ==> Result:=0D
=0D
Access violation - code c0000005 (first chance)=0D
First chance exceptions are reported before any exception handling.=0D
This exception may be expected and handled.=0D
eax=41414141 ebx=00000111 ecx=00000001 edx=00000000 esi=00997980 edi=00997980=0D
eip=73d22054 esp=00dff278 ebp=00dff200 iopl=0         nv up ei pl nz na pe nc=0D
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206=0D
=0D
MFC42!Ordinal5163+0x492:=0D
73d22054 8908            mov     dword ptr [eax],ecx  ds:0023:41414141=????????=0D
=0D
=0D
=0D
=0D
==================0D
=0D
5)Credits=0D
=0D
=================0D
=0D
laurent gaffi=E9=0D
laurent.gaffie[at]gmail[dot]com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH