cbcvebase.
CVE-2012-0432
published 2012-12-25

CVE-2012-0432: Stack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 allows remote attackers to have an unspecified impact…

PriorityP268critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.70%
99.0th percentile
Stack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 allows remote attackers to have an unspecified impact via unknown vectors.

Affected

2 ranges
VendorProductVersion rangeFixed in
microfocusedirectory
microfocusedirectory

Detection & IOCsextracted from sources · hover to see the quote

port524
processndsd
otherRET_ADDRESS=0x080a4697 (jmp *%esi in ndsd data segment 0x08087000-0x080a6000)
bytes
44 6d 64 54 00 00 00 17 00 00 00 01 00 00 00 00 11 11 00 00 00 00 00
bytes
44 6d 64 54 ... 22 22 01 ff 00 00 17 00 a7 18 90 90 50
bytes
74 4e 63 50 00 00 00 10 33 33
  • Detect NCP service connection requests on TCP port 524 containing the magic byte sequence 0x44 0x6d 0x64 0x54 (NCP TCP id) followed by a Keyed Object Login request (FunctionCode 0x17, SubFunctionCode 0x18) with an oversized ClientNameLen field (0x50) — indicative of the exploit trigger.
  • Alert on NCP TCP responses containing the 'service connection reply' marker bytes 0x74 0x4e 0x63 0x50 followed by 0x33 0x33 on TCP port 524, which the exploit validates before sending the overflow payload.
  • Monitor for unexpected outbound or inbound TCP connections on port 5074 from the eDirectory/ndsd host, which is the bind-shell port spawned by the exploit payload.
  • Detect NCP request packets on TCP/524 where the total packet length field (bytes 4-7) is 0x000001a0 (416 bytes) or larger combined with FunctionCode 0x17 and SubFunctionCode 0x18, indicating a malformed/oversized Keyed Object Login request.
  • Look for NOP sled patterns (0x90 sequences) within NCP payloads on TCP/524 as the exploit fills the overflow buffer with 0x90 (NOP) bytes before the shellcode.
  • ·The Metasploit module targets specifically 'Novell eDirectory 8.8.7 v20701.33 / SLES 10 SP3' with Ret=0x080a4697 and Offset=58; other patch levels use different offsets.
  • ·The vulnerability is fixed in eDirectory 8.8 SP7 Patch 2 (build 20703.00); systems running that version or later are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.