‘Novell eDirectory NCP Get Extension Information Request Memory Corruption Vulnerability’
Summary
‘Novell eDirectory is ‘cross platform directory server. NetWare Core Protocol, commonly referred to as NCP, is used by eDirectory to synchronize data between servers in the directory tree. NCP supports various request types, one of which is the ‘Get NCP Extension Information By Name Request’.’
Credit:
‘The information has been provided by iDefense.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=748‘
Details
‘Vulnerable Systems:
* eDirectory version 8.8 SP2 for Windows
Immune Systems:
* eDirectory version 8.8 SP2 for Linux
The vulnerability exists due to an area of heap memory being used after it has already been freed. By sending malformed data it is possible to cause an area of heap memory to be freed by one thread, and then reused after another thread allocates the same area of memory. This results in the original thread operating on the data changed by the second thread, which may lead to the execution of arbitrary code.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service, usually SYSTEM. In order to trigger this vulnerability, an attacker needs to send a series of specifically timed requests and have some degree of control of the memory layout of the process. In Labs testing, it was often difficult to reliably trigger the vulnerability. While difficult, the possibility of executing arbitrary code should not be ruled out.
Vendor response:
Novell has released a patch for this vulnerability and advises that all users of Novell eDirectory should update.
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037180.html
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037181.html‘