Vulnerabilities > CVE-2012-0430 - Unspecified vulnerability in Microfocus Edirectory

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
microfocus
nessus
NVD
Published: 2012-12-25
Updated: 2021-04-13

Summary

Unspecified vulnerability in NetIQ eDirectory 8.8.6.x before 8.8.6.7 and 8.8.7.x before 8.8.7.2 on Windows allows remote attackers to obtain an administrator cookie and bypass authorization checks via unknown vectors.

Vulnerable Configurations

Part Description Count
Application
Microfocus
9

Nessus

NASL familyMisc.
NASL idEDIRECTORY_88SP7_PATCH2.NASL
descriptionThe remote host is running eDirectory, a directory service software from Novell. The installed version of Novell eDirectory is affected by multiple issues : - An unspecified cross-site scripting flaw exists. (CVE-2012-0428) - It is possible to trigger a remote denial of service vulnerability by sending a malformed HTTP request. (CVE-2012-0429) - An unspecified flaw may allow a remote attacker to gain access to administrator cookie information. (CVE-2012-0430) - There is an unspecified stack-based buffer overflow in the Novell NCP implementation in eDirectory that has unspecified impact. (CVE-2012-0432)
last seen2020-06-01
modified2020-06-02
plugin id63338
published2012-12-27
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/63338
titleNovell eDirectory 8.8.x Multiple Security Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(63338);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:23");

  script_cve_id(
    "CVE-2012-0428",
    "CVE-2012-0429",
    "CVE-2012-0430",
    "CVE-2012-0432"
  );
  script_bugtraq_id(57038);
  script_xref(name:"EDB-ID", value:"24205");
  script_xref(name:"EDB-ID", value:"24323");

  script_name(english:"Novell eDirectory 8.8.x Multiple Security Vulnerabilities");
  script_summary(english:"Checks version of eDirectory from an ldap search");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote directory service is affected by multiple vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host is running eDirectory, a directory service software
from Novell.  The installed version of Novell eDirectory is affected by
multiple issues :

  - An unspecified cross-site scripting flaw exists.
    (CVE-2012-0428)

  - It is possible to trigger a remote denial of service 
    vulnerability by sending a malformed HTTP request. 
    (CVE-2012-0429)
 
  - An unspecified flaw may allow a remote attacker to gain 
    access to administrator cookie information. 
    (CVE-2012-0430)

  - There is an unspecified stack-based buffer overflow in 
    the Novell NCP implementation in eDirectory that has 
    unspecified impact. (CVE-2012-0432)"
  );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2013/Jan/97");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=3426981");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?caef468a");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7011539");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7011538");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7011533");
  script_set_attribute(attribute:"solution", value:"Upgrade to eDirectory 8.8 SP6 Patch 7 / 8.8 SP7 Patch 2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Novell eDirectory 8 Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/12/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:edirectory");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("ldap_search.nasl");
  script_require_ports("Services/ldap", 389);
  
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");

ldap_port = get_service(svc:"ldap", default:389, exit_on_fail:TRUE);

edir_ldap = get_kb_item_or_exit('LDAP/'+ldap_port+'/vendorVersion');
if ("Novell eDirectory" >< edir_ldap) edir_product = chomp(strstr(edir_ldap, "Novell eDirectory"));
else audit(AUDIT_NOT_LISTEN, 'Novell eDirectory', ldap_port);

info = '';

# LDAP Agent for Novell eDirectory 8.8 SP7 (20703.00) : Patched
# LDAP Agent for Novell eDirectory 8.8 SP6 (20608.00) : Patched 
if (
  ereg(pattern:'^LDAP Agent for Novell eDirectory 8.8 *\\(([0-9]+)\\.([0-9]+)\\)$', string:edir_ldap) ||
  ereg(pattern:'^LDAP Agent for Novell eDirectory 8.8 *SP[0-5] *\\(([0-9]+)\\.([0-9]+)\\)$', string:edir_ldap) 
)
{ 
  info =  '\n  Installed Version       : ' + edir_product;
  info += '\n  Fixed Version : 8.8 SP6 Patch 7 / 8.8 SP7 Patch 2\n';
}
else if (ereg(pattern:'LDAP Agent for Novell eDirectory 8.8 SP[67]', string:edir_ldap))
{
  build_major = NULL;
  sp = NULL;

  matches = eregmatch(pattern:'^LDAP Agent for Novell eDirectory 8.8 *SP([67]) *\\(([0-9]+)\\.([0-9]+)\\)$', string:edir_ldap);
  if (matches) 
  {  
    sp = matches[1]; 
    build_major = matches[2];
  }

  if (!isnull(sp))
  {
    if (int(sp) == 6)
    {
      if (isnull(build_major) || int(build_major) < 20608)
      {
        info =  '\n  Installed version : ' + edir_product;
        info += '\n  Fixed version     : 8.8 SP6 Patch 7 (20608.00)\n';
      }
    }
    else if (int(sp) == 7)
    {
      if (isnull(build_major) || int(build_major) < 20703)
      { 
        info =  '\n  Installed version : ' + edir_product;
        info += '\n  Fixed version     : 8.8 SP7 Patch 2 (20703.00)\n';
      }
    }
  }
}

if (info)
{
  set_kb_item(name:'www/0/XSS', value:TRUE);

  if (report_verbosity > 0)
  {
    report = '\nThe following vulnerable Novell eDirectory instance was found : \n' + info;
    security_hole(port:ldap_port, extra:report);
  }
  else security_hole(ldap_port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, edir_product, ldap_port);

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 57038 CVE(CAN) ID: CVE-2012-0428,CVE-2012-0429,CVE-2012-0430,CVE-2012-0432 Novell eDirectory是一个跨平台的目录服务器。 Novell eDirectory 8.8.7.2、8.8.6.7之前版本存在跨站脚本、拒绝服务、信息泄露、栈缓冲区溢出漏洞,利用这些漏洞,攻击者可在受影响浏览器中执行任意脚本代码、窃取cookie、泄露敏感信息、执行任意代码、造成拒绝服务。 1)在处理某些字符时,dhost服务内存在错误,可被利用通过特制的HTTP请求造成拒绝服务。此漏洞仅影响Windwos。 2)NCP实现内存在错误,可造成栈缓冲区溢出。 0 Novell eDirectory 8.8.7.2 Novell eDirectory 8.8.6.7 厂商补丁: Novell ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载8.8.7.2/8.8.6.7版本: http://download.novell.com/
idSSV:60541
last seen2017-11-19
modified2012-12-25
published2012-12-25
reporterRoot
titleNovell eDirectory dhost服务/NCP实现内多个安全漏洞

References