Novell NetIQ eDirectory NCP Buffer Overflow
Novell eDirectory is an X.500-compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network. The product is made available for multiple platforms including NetWare, Unix-like systems, and Windows. It supports referential integrity, multi-master replication, and has a modular authentication architecture. The software can be accessed via LDAP, DSML, SOAP, ODBC, JDBC, JNDI, and ADSI.
Novell eDirectory utilizes Novell NetWare Core Protocol (NCP) for network communication. The NetWare Core Protocol (NCP) manages access requirement to the primary NetWare server resources such as the file system and the printing system as well as login requests. NCP is a client/server protocol which uses the underlying Internetwork Packet Exchange Layer Services (IPX), which is obsoleted. More recent version of NCP can also use TCP/IP. NCP over TCP/IP messages has the following common header structure:
Offset Size Description ------- ----- ------------------------------------------------------ 0x0000 4 NCP/IP signature, 'DmdT' for request, 'tNcP' for reply 0x0004 4 NCP/IP Length, including the NCP over IP header 0x0008 4 NCP/IP Version (Request only) 0x000C 4 NCP/IP Reply Buffer Size (Request only)
A stack-based overflow vulnerability has been identified in the Novell eDirectory server. When processing a NCP request, a stack buffer size was not validated before the user supplied data was copied to the memory. An attacker can exploit this vulnerability to cause a stack overflow which would allows for arbitrary code injection and execution with the privileges of the eDirectory service, by default SYSTEM.
Dell SonicWALL UTM team has researched this vulnerability and released the following IPS signatures to detect the attack attempts.
- 9541 Novell NetIQ eDirectory NCP Buffer Overflow 1
- 9546 Novell NetIQ eDirectory NCP Buffer Overflow 2
An existing generic shellcode signature is able to detect the attacks addressing this issue too.
- 4813 Server Application Shellcode Exploit 6
This vulnerability has been referred by CVE as CVE-2012-0432