Novell Modular Authentication Services (NMAS)格式化字符串漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192646 漏洞类型 格式化字符串
发布时间 2006-12-05 更新时间 2006-12-05
CVE编号 CVE-2006-6306 CNNVD-ID CNNVD-200612-079
漏洞平台 N/A CVSS评分 1.2
|漏洞来源
https://www.securityfocus.com/bid/87319
https://cxsecurity.com/issue/WLB-2006120042
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-079
|漏洞详情
NovellClient中的NovellModularAuthenticationServices(NMAS)存在格式化字符串漏洞,具有物理访问权的用户可通过在登录窗口中的用户名字段中的格式化字符串限定符来读取栈和内存内容。
|漏洞EXP
==================================================
Layered Defense Advisory 1 December 2006
 ==================================================
1) Affected Software
Novell Client 4.91 SP2
Novell Client 4.91 SP2 Patch Kit 
Novell Client 4.91 SP3
Earlier versions may also be vulnerable
==================================================
2) SeverityRating:
Low - Medium risk 
Impact: Read arbitrary memory, denial of service.
==================================================
3) Description of Vulnerability
A format string vulnerability was discovered within Novell client 4.91 . The vulnerability is due to improper processing of format strings within NMAS (Novell Modular Authentication Services) Information message window. An attacker who enters special crafted format strings in the Username field at the Novell logon and selects Sequences under the NMAS tab can read data from the winlogon process stack or read from arbitrary memory, and at a minimum cause a denial of service.
==================================================
4) Solution
Fix: Presently no patch is available.
Work around: Disable NMAS Authentication
==================================================
5) Time Table:
07/15/2006 Reported Vulnerability to Vendor.
08/21/2006 Vendor released Novell Client - 4.91 SP2 Patch Kit which made the vulnerability worse. (This patch made it easier to read arbitrary memory)
09/17/2006 Contacted Vendor about increased risk with SP2 Patch Kit 
11/28/2006 Received the following message from Vendor :
At this point in time, development has determined this is a very low priority and apparently it will be some time before the issue is addressed. I have reported this to our Security Review Board so development's claim can be re-examined. As such, you certainly have every right to publish your findings at this time. The bug will remain open against the product.  Hopefully this can be fixed in the near future ==================================================
6) CreditsDiscovered by Deral Heiland, www.LayeredDefense.com
==================================================
7) About Layered DefenseLayered Defense, Is a group of security professionals that work together on ethical Research, Testing and Training within the information security arena. http://www.layereddefense.com
==================================================
|受影响的产品
Novell Client 4.91 SP3
|参考资料

来源:XF
名称:novell-nmas-format-string(30644)
链接:http://xforce.iss.net/xforce/xfdb/30644
来源:BUGTRAQ
名称:20061201LayeredDefenseAdvisory:NovellClient4.91FormatStringVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/453176/100/0/threaded
来源:MISC
链接:http://www.layereddefense.com/Novell01DEC.html
来源:FULLDISC
名称:20061201LayeredDefenseAdvisory:NovellClient4.91FormatStringVulnerability
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051038.html
来源:secure-support.novell.com
链接:https://secure-support.novell.com/KanisaPlatform/Publishing/372/3546910_f.SAL_Public.html
来源:VUPEN
名称:ADV-2006-4987
链接:http://www.frsirt.com/english/advisories/2006/4987
来源:support.novell.com
链接:http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974876.htm
来源:support.novell.com
链接:http://support.novell.com/cgi-bin/search/searchtid.cgi?/2974872.htm
来源:SECTRACK
名称:1017377
链接:http://securitytracker.com/id?1017377
来源:SREASON
名称:1970
链接:http://securityreason.com/securityalert/1970
来源:SECUN