lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 01 Dec 2006 05:55:55 -0500
From: Deral Heiland <dh@...ereddefense.com>
To: ull-disclosure@...ts.grok.org.uk
Subject: Layered Defense Advisory: Novell Client 4.91
 Format String Vulnerability

==================================================
Layered Defense Advisory 1 December 2006
  ==================================================
1) Affected Software
Novell Client 4.91 SP2
Novell Client 4.91 SP2 Patch Kit
Novell Client 4.91 SP3
Earlier versions may also be vulnerable
==================================================
2) SeverityRating:
Low - Medium risk
Impact: Read arbitrary memory, denial of service.
==================================================
3) Description of Vulnerability
A format string vulnerability was discovered within Novell client 
4.91 . The vulnerability is due to improper processing of format 
strings within NMAS (Novell Modular Authentication Services) 
Information message window. An attacker who enters special crafted 
format strings in the Username field at the Novell logon and selects 
Sequences under the NMAS tab can read data from the winlogon process 
stack or read from arbitrary memory, and at a minimum cause a denial 
of service.
==================================================
4) Solution
Fix: Presently no patch is available.
Work around: Disable NMAS Authentication
==================================================
5) Time Table:
07/15/2006 Reported Vulnerability to Vendor.
08/21/2006 Vendor released Novell Client - 4.91 SP2 Patch Kit which 
made the vulnerability worse. (This patch made it easier to read 
arbitrary memory)
09/17/2006 Contacted Vendor about increased risk with SP2 Patch Kit
11/28/2006 Received the following message from Vendor :
At this point in time, development has determined this is a very low 
priority and apparently it will be some time before the issue is 
addressed. I have reported this to our Security Review Board so 
development's claim can be re-examined. As such, you certainly have 
every right to publish your findings at this time. The bug will 
remain open against the product. &nbsp;Hopefully this can be fixed in 
the near future ==================================================
6) CreditsDiscovered by Deral Heiland, www.LayeredDefense.com
==================================================
7) About Layered DefenseLayered Defense, Is a group of security 
professionals that work together on ethical Research, Testing and 
Training within the information security arena. http://www.layereddefense.com
==================================================


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists