=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN154
_____________________________________________________________________

DATE                      : 25/02/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Novell NetWare version 6.5.

======================================================================
http://www.zerodayinitiative.com/advisories/ZDI-11-090/
______________________________________________________________________

Novell Netware RPC XNFS xdrDecodeString Remote Code Execution Vulnerability
ZDI-11-090: February 18th, 2011

CVE ID

       CVE-2010-4227

CVSS Score

       10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Vendors

       Novell

Affected Products

       Netware

TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10874. For further product information on the
TippingPoint IPS:

       http://www.tippingpoint.com

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Novell Netware. Authentication is not required to
exploit this vulnerability.

The flaw exists within the XNFS.NLM component which listens by default on UDP
port 1234. When handling the an NFS RPC request the xdrDecodeString function
uses a user supplied length value to null terminate a string. This value can be
signed allowing the NULL byte to be written at an arbitrary address. A remote
attacker can exploit this vulnerability to execute arbitrary code under the
context of the system.

Vendor Response

Novell has issued an update to correct this vulnerability. More details can be found at:

       http://download.novell.com/Download?buildid=1z3z-OsVCiE~

Disclosure Timeline

       2010-08-25 - Vulnerability reported to vendor
       2011-02-18 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

       Francis Provencher for Protek Researchh Lab's

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================