Security Advisory for NetWare 6.5 OpenSSH

Posted by Zef Cekaj

This is a little information clarifying the exploitability of ZDI-10-169 as discovered by ZDI researcher Francis Provencher.
Novell has classified this bug as a Denial of Service and will not be issuing
a patch. Novell's official statement is available here.

For the sake of lulz, please narrate this to yourself in the voice of the Old
Spice Guy:

Hello World!

Look at Novell's report:

A vulnerability has been identified in NetWare 6.5 SSH which, if exploited
repeated, could be used for a Denial-of-Service Attack. The flaw exists in
SSHD.NLM and one of it's sub-modules, SFTP-SVR.NLM.

Now look back to mine:

The flaw exists within SSHD.NLM. When the application attempts to resolve an
absolute path on the server, a 512 byte destination buffer is used without
bounds checking. By providing a large enough value, an attacker can cause a
buffer to be overflowed. Successful exploitation results in remote code
execution under the context of the server.

Look at Novell's module:

# .m SSHD.NLM
SSHD.NLM OpenSSH daemon(NICI) 3.7.1p6 (SP8 build 78)
Loaded from on Aug 25, 2010 1:15:12 pm
OS address space
Version 3.71.05 (continue reading...)