Vulnerabilities > CVE-2012-0432 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microfocus Edirectory 8.8.7.0/8.8.7.1

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
microfocus
CWE-119
critical
nessus
exploit available
metasploit
NVD
Published: 2012-12-25
Updated: 2021-04-13

Summary

Stack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 allows remote attackers to have an unspecified impact via unknown vectors.

Vulnerable Configurations

Part Description Count
Application
Microfocus
2

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

  • descriptionNovell eDirectory 8 Buffer Overflow. CVE-2012-0432. Remote exploits for multiple platform
    idEDB-ID:24323
    last seen2016-02-02
    modified2013-01-24
    published2013-01-24
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/24323/
    titleNovell eDirectory 8 - Buffer Overflow
  • descriptionNovell NCP Pre-Auth Remote Root Exploit. CVE-2012-0432. Remote exploit for linux platform
    idEDB-ID:24205
    last seen2016-02-02
    modified2013-01-18
    published2013-01-18
    reporterGary Nilson
    sourcehttps://www.exploit-db.com/download/24205/
    titleNovell NCP Pre-Auth Remote Root Exploit

Metasploit

descriptionThis exploit abuses a buffer overflow vulnerability in Novell eDirectory. The vulnerability exists in the ndsd daemon, specifically in the NCP service, while parsing a specially crafted Keyed Object Login request. It allows remote code execution with root privileges.
idMSF:EXPLOIT/LINUX/MISC/NOVELL_EDIRECTORY_NCP_BOF
last seen2020-05-21
modified2018-09-15
published2013-01-23
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/novell_edirectory_ncp_bof.rb
titleNovell eDirectory 8 Buffer Overflow

Nessus

NASL familyMisc.
NASL idEDIRECTORY_88SP7_PATCH2.NASL
descriptionThe remote host is running eDirectory, a directory service software from Novell. The installed version of Novell eDirectory is affected by multiple issues : - An unspecified cross-site scripting flaw exists. (CVE-2012-0428) - It is possible to trigger a remote denial of service vulnerability by sending a malformed HTTP request. (CVE-2012-0429) - An unspecified flaw may allow a remote attacker to gain access to administrator cookie information. (CVE-2012-0430) - There is an unspecified stack-based buffer overflow in the Novell NCP implementation in eDirectory that has unspecified impact. (CVE-2012-0432)
last seen2020-06-01
modified2020-06-02
plugin id63338
published2012-12-27
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/63338
titleNovell eDirectory 8.8.x Multiple Security Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(63338);
  script_version("1.15");
  script_cvs_date("Date: 2018/11/15 20:50:23");

  script_cve_id(
    "CVE-2012-0428",
    "CVE-2012-0429",
    "CVE-2012-0430",
    "CVE-2012-0432"
  );
  script_bugtraq_id(57038);
  script_xref(name:"EDB-ID", value:"24205");
  script_xref(name:"EDB-ID", value:"24323");

  script_name(english:"Novell eDirectory 8.8.x Multiple Security Vulnerabilities");
  script_summary(english:"Checks version of eDirectory from an ldap search");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote directory service is affected by multiple vulnerabilities."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote host is running eDirectory, a directory service software
from Novell.  The installed version of Novell eDirectory is affected by
multiple issues :

  - An unspecified cross-site scripting flaw exists.
    (CVE-2012-0428)

  - It is possible to trigger a remote denial of service 
    vulnerability by sending a malformed HTTP request. 
    (CVE-2012-0429)
 
  - An unspecified flaw may allow a remote attacker to gain 
    access to administrator cookie information. 
    (CVE-2012-0430)

  - There is an unspecified stack-based buffer overflow in 
    the Novell NCP implementation in eDirectory that has 
    unspecified impact. (CVE-2012-0432)"
  );
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2013/Jan/97");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=3426981");
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?caef468a");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7011539");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7011538");
  script_set_attribute(attribute:"see_also", value:"https://support.microfocus.com/kb/doc.php?id=7011533");
  script_set_attribute(attribute:"solution", value:"Upgrade to eDirectory 8.8 SP6 Patch 7 / 8.8 SP7 Patch 2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Novell eDirectory 8 Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/12/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:novell:edirectory");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("ldap_search.nasl");
  script_require_ports("Services/ldap", 389);
  
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");

ldap_port = get_service(svc:"ldap", default:389, exit_on_fail:TRUE);

edir_ldap = get_kb_item_or_exit('LDAP/'+ldap_port+'/vendorVersion');
if ("Novell eDirectory" >< edir_ldap) edir_product = chomp(strstr(edir_ldap, "Novell eDirectory"));
else audit(AUDIT_NOT_LISTEN, 'Novell eDirectory', ldap_port);

info = '';

# LDAP Agent for Novell eDirectory 8.8 SP7 (20703.00) : Patched
# LDAP Agent for Novell eDirectory 8.8 SP6 (20608.00) : Patched 
if (
  ereg(pattern:'^LDAP Agent for Novell eDirectory 8.8 *\\(([0-9]+)\\.([0-9]+)\\)$', string:edir_ldap) ||
  ereg(pattern:'^LDAP Agent for Novell eDirectory 8.8 *SP[0-5] *\\(([0-9]+)\\.([0-9]+)\\)$', string:edir_ldap) 
)
{ 
  info =  '\n  Installed Version       : ' + edir_product;
  info += '\n  Fixed Version : 8.8 SP6 Patch 7 / 8.8 SP7 Patch 2\n';
}
else if (ereg(pattern:'LDAP Agent for Novell eDirectory 8.8 SP[67]', string:edir_ldap))
{
  build_major = NULL;
  sp = NULL;

  matches = eregmatch(pattern:'^LDAP Agent for Novell eDirectory 8.8 *SP([67]) *\\(([0-9]+)\\.([0-9]+)\\)$', string:edir_ldap);
  if (matches) 
  {  
    sp = matches[1]; 
    build_major = matches[2];
  }

  if (!isnull(sp))
  {
    if (int(sp) == 6)
    {
      if (isnull(build_major) || int(build_major) < 20608)
      {
        info =  '\n  Installed version : ' + edir_product;
        info += '\n  Fixed version     : 8.8 SP6 Patch 7 (20608.00)\n';
      }
    }
    else if (int(sp) == 7)
    {
      if (isnull(build_major) || int(build_major) < 20703)
      { 
        info =  '\n  Installed version : ' + edir_product;
        info += '\n  Fixed version     : 8.8 SP7 Patch 2 (20703.00)\n';
      }
    }
  }
}

if (info)
{
  set_kb_item(name:'www/0/XSS', value:TRUE);

  if (report_verbosity > 0)
  {
    report = '\nThe following vulnerable Novell eDirectory instance was found : \n' + info;
    security_hole(port:ldap_port, extra:report);
  }
  else security_hole(ldap_port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, edir_product, ldap_port);

Packetstorm

Saint

bid57038
descriptionNovell eDirectory NCP KeyedObjectLogin Function Vulnerability
idmisc_edirectoryver
osvdb88718
titleedirectory_ncp_keyedobjectlogin
typeremote

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 57038 CVE(CAN) ID: CVE-2012-0428,CVE-2012-0429,CVE-2012-0430,CVE-2012-0432 Novell eDirectory是一个跨平台的目录服务器。 Novell eDirectory 8.8.7.2、8.8.6.7之前版本存在跨站脚本、拒绝服务、信息泄露、栈缓冲区溢出漏洞,利用这些漏洞,攻击者可在受影响浏览器中执行任意脚本代码、窃取cookie、泄露敏感信息、执行任意代码、造成拒绝服务。 1)在处理某些字符时,dhost服务内存在错误,可被利用通过特制的HTTP请求造成拒绝服务。此漏洞仅影响Windwos。 2)NCP实现内存在错误,可造成栈缓冲区溢出。 0 Novell eDirectory 8.8.7.2 Novell eDirectory 8.8.6.7 厂商补丁: Novell ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载8.8.7.2/8.8.6.7版本: http://download.novell.com/
    idSSV:60541
    last seen2017-11-19
    modified2012-12-25
    published2012-12-25
    reporterRoot
    titleNovell eDirectory dhost服务/NCP实现内多个安全漏洞
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:77938
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-77938
    titleNovell NCP Pre-Auth Remote Root Exploit

References