Novell File Reporter Engine RECORD Element Tag Parsing Overflow (credentialed check)

high Nessus Plugin ID 55471

Synopsis

The remote Windows host contains a service that is susceptible to a remote buffer overflow attack.

Description

The version of Novell File Reporter (NFR) Engine installed on the remote Windows host is earlier than 1.0.2.53. As such, it reportedly has a flaw in its handling of HTTP requests to the TCP port used to communicate with the NFR Agent, normally 3035. Specifically, the application fails to check the size of user-supplied strings before using them in a call to memcpy when parsing tags inside the '<RECORD>' element.

An unauthenticated, remote attacker with access to the service can leverage this vulnerability to corrupt the process thread's stack, possibly resulting in arbitrary code execution under the context of the SYSTEM account.

Solution

Apply the security patch referenced in Novell's advisory.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-11-227/

https://www.securityfocus.com/archive/1/518632/30/0/threaded

http://download.novell.com/Download?buildid=leLxi7tQACs~

Plugin Details

Severity: High

ID: 55471

File Name: novell_file_reporter_engine_1_0_2_53.nasl

Version: 1.10

Type: local

Agent: windows

Family: Windows

Published: 6/30/2011

Updated: 11/15/2018

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9.7

Temporal Score: 8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P

Vulnerability Information

CPE: cpe:/a:novell:file_reporter

Required KB Items: SMB/Registry/Enumerated

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/27/2011

Vulnerability Publication Date: 6/27/2011

Exploitable With

CANVAS (White_Phosphorus)

Core Impact

Reference Information

CVE: CVE-2011-2220

BID: 48470

Secunia: 45065