[Full-disclosure] ZDI-06-035: Novell eDirectory NDS Server Host Header Buffer Overflow Vulnerability
FistFuXXer
FistFuXXer at gmx.de
Sat Oct 28 07:34:57 BST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Matt Richard,
the vulnerability details have been submitted by me on June 1, 2006
CST/CDT (June 2, 2006 GMT+1). So I've found the vulnerability before
Michael Ligh and Ryan Smith did it. But it seems that one of the
employees of ZDI did a mistake during the processing of my submission.
Anyway, it doesn't matter if the IDS signature got released on, before
or after the patch day, because a professional IPS system like
TippingPoint IPS should detect or filter shellcodes and return addresses
within the host header without any special IDS signature. For example,
you can filter all illegal characters from the host header and convert
everything to lowercase characters. Or better: convert the domain name
in the host header to a random mixture of lowercase and uppercase
characters and redirect this to the destination server, this should f***
up every kind of ASCII shellcode and ASCII return address. ;-)
Maybe should you better take some minutes time and think about the fact
that we humans aren't perfect and make mistakes, instead of wasting your
time with trying to destroy the image of a company. The employees of
such companies have to do a lot of work with all the submissions that
they receive and I also know other security companies that sometimes
broke down because of this and did multiple mistakes during payment and
processing.
Sincerely yours,
Manuel Santamarina Suarez
Matt Richard wrote:
> On 10/27/06, zdi-disclosures at 3com.com <zdi-disclosures at 3com.com> wrote:
>> -- TippingPoint(TM) IPS Customer Protection:
>> TippingPoint IPS customers have been protected against this
>> vulnerability since October 26, 2006 by Digital Vaccine protection
>> filter ID 4519. For further product information on the TippingPoint IPS:
> <snip>
>> The specific flaw exists within the httpstk.dll library within the
>> dhost.exe web interface of the eDirectory Host Environment. The web
>> interface does not validate the length of the HTTP Host header prior to
>> using the value of that header in an HTTP redirect. This results in an
>> exploitable stack-based buffer overflow.
>
> This 0day was reported on 10/20/06 here
> http://www.mnin.org/advisories/2006_novell_httpstk.pdf.
>
> Seems that your initiative has fallen a bit behind. Your customers
> had to wait for you to realize this had already been released and a
> signature was added to Bleeding Snort on 10/23.
>
> It's also a bit odd that Novell released the updates on 10/20/06, the
> same day as the MNIN advisory.
>
> Based on the time line it looks like the whole thing might have been
> ripped off.....
>
> Cheers,
>
> Matt
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
iD8DBQFFQvoRPF/cBnCBnL0RAljbAJ9dCjDyu/4Xi19XwovfDaKDe3Q/WgCglmTk
XH+dkrb672FvgZKua6aHxnI=
=+tQa
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: timeline.jpg
Type: image/jpeg
Size: 136368 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061028/c7e92884/attachment.jpg
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: exploit.pl
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061028/c7e92884/attachment.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: advisory.pdf
Type: application/pdf
Size: 19271 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20061028/c7e92884/attachment.pdf
Full-Disclosure is hosted and sponsored by Secunia.