Novell Netware FTP Server BO

April 9, 2010

The Novell Netware operating system provides file sharing and other services such as printing and email. Netware includes an FTP server which facilitates the transfer of files to and from Netware volumes. File transfers can be performed using a regular FTP client.

The initial connection to the FTP server forms the control stream on which FTP service commands are passed from the client on occasion from the server to the client. A separate stream is used for the transfer of data.

FTP service commands define the file transfer or the file system function requested by a connected user. Some examples of FTP commands are listed:

  • CWD - to change the working directory
  • MKD - to create a directory
  • RMD - to delete a directory
  • LIST - to transfer a list of files in the current directory
  • NLST - to transfer names of files with CRLF or NL characters

A buffer overflow vulnerability exists in the Novell Netware FTP service. The vulnerability is due to insufficient boundary checks when processing some FTP commands. The vulnerable code performs an internal memory copy of a user supplied string into a static size buffer without validating the length of the string. When an FTP user requests directory creation or removal with an overly long argument, the vulnerable code will copy the argument past the aforementioned buffer.

Exploitation of this vulnerability may result in process flow diversion of the vulnerable service. The service will continue to operate after an unsuccessful code injection attempt. This may give the attacker multiple chances to exploit the targeted host. Only authenticated users have the ability to attempt an attack as the affected commands are available post authentication only.

SonicWALL already has existing signatures addressing this type of flaw that will detect and block attacks targeting this vulnerability. The following signatures are available:

  • 34 - MKD Command BO Attempt
  • 239 - RMD Command BO Attempt

This vulnerability has been assigned CVE-2010-0625 by Mitre. The vendor has released an advisory with a patch addressing this issue.