Novell File Reporter Agent VOL Tag Remote Code Execution (uncredentialed check)

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The remote host is running a service that is susceptible to a remote
buffer overflow attack.

Description :

The version of Novell File Reporter (NFR) Agent running on the remote
host is vulnerable to a remote buffer overflow attack. The specific
flaw exists within NFRAgent.exe, which listens on default TCP port 3037
over HTTPS. When parsing tags inside the VOL element, the process
performs insufficient bounds checking on user supplied data prior to
copying it into a fixed-length buffer on the stack.

An unauthenticated, remote attacker, accessing the service, could
leverage this vulnerability to corrupt the process thread's stack,
possibly resulting in arbitrary code execution under the context of a
privileged account.

Note that only the NFR Agent running on a Windows OS is affected.

See also :

http://www.zerodayinitiative.com/advisories/ZDI-12-167/
http://archives.neohapsis.com/archives/bugtraq/2012-08/0193.html

Solution :

There is currently no patch for this vulnerability. One mitigation
strategy is to restrict interaction with the service to trusted
machines. Only the hosts that have a legitimate procedural relationship
with the Novell File Reporter Agent should be permitted to communicate
with it. This can be accomplished with firewall rules.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.5
(CVSS2#E:U/RL:U/RC:ND)
Public Exploit Available : false

Family: Gain a shell remotely

Nessus Plugin ID: 62027 ()

Bugtraq ID: 55268

CVE ID: