Novell iManager Tree Name Denial of Service

Novell iManager is a Web-based administration console that provides customized access to network administration utilities and content from virtually any location in the world. A default installation of Novell iManager includes the Apache HTTP server, Tomcat application container and so on.

Novell iManager provides services through HTTP on port 8080/TCP, and HTTPS on port 8443/TCP. The iManager default login page is accessible via the following URL:

https://:/nps/servlet/webacc

where the port is 8443 by default.

In the login page listed above there are three input login credentials, which include a User Name, a Password and a Tree Name. The input data and other various hidden parameters are submitted in the same URI using an HTTP POST request. The data is passed to the iManager application in the web form represented by variables. The Tree Name parameter is passed in the variable "tree".

A denial of service vulnerability is found in the Novell iManager web application. The vulnerability is due to a failure of the application to properly check the length of the variable tree submitted within the iManager login request. Specifically, the vulnerable codes check the input string and add some extra characters to the input string, which causes the overwritten of the stack buffer. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET or POST request to the server. This will result in abnormal termination of the affected service process, causing a denial of service condition.

SonicWALL UTM team has researched this vulnerability, and created the following IPS signature to prevent/detect the attacks addressing this issue:

• 5475 Generic Server Application Buffer Overflow Exploit 2

This vulnerability is referred by the CVE as CVE-2010-1930.