NetWare Portmapper Buffer Overflow

October 8, 2009

Netware is a network operating system developed by Novell. It provides file sharing and other services such as printing and email. The Remote Procedure Call (RPC) portmapper is a service that converts RPC program numbers into network addresses and port numbers. When a client wishes to make an RPC call to a given program number, it will first contact portmapper to determine the network address and port number where RPC packets should be sent. The library PKERNEL.NLM provides NetWare with portmapper and RPC functionality.

Portmapper hosts a service, portmap (program number 100000), which can be accessed by a CALLIT RPC message. There exists a stack-based buffer overflow vulnerability in Netware's portmapper module PKERNEL.NLM. Specifically, the vulnerable function copies Argument Length bytes from a CALLIT RPC message into a fix-sized stack buffer without performing boundary check. An attacker can exploit this vulnerability by sending a malicious CALLIT RPC message with an overly long Argument Length to the affected portmap service. Successful exploitation could lead to remote code execution in the context of the portmap service, normally root. The vulnerability has been assigned as Bugtraq ID 36564. It affects the latest version of Netware -- v6.5.0 SP8; other versions may also be affected.

SonicWALL has released an IPS signature to detect and block specific exploitation attempts targeting this vulnerability. The signature is listed below:

  • 2068 - Novell NetWare Portmapper BO Attempt