Bugtraq mailing list archives
Novell BorderManager 3.5 Remote Slow Death
From: chicknmon () HOTMAIL COM (Chicken Man)
Date: Wed, 9 Feb 2000 00:58:58 GMT
On a (default) installation of BorderManager 3.5 sp1, spc02 running on
NetWare 5.0 sp3a with nici 1.3.1, telnet to port 2000 on the firewall (on
either the public or private interfaces) and hit enter a few times.
Utilization will jump (to 67% on our systems), and the console will
immediately report an error similar to the following:
1-27-2000 9:34:47 am: SERVER-5.0-830 [nmID=2000A]
Short Term Memory Allocator is out of Memory.
1 attempts to get more memory failed.
The telnet session will not disconnect, unless you manually close the
connection. Over the course of two days (every few minutes or so, YMMV) the
error will repeat, with the number of attempts steadily increasing (by
several million each time). Eventually (again, for us it was two days, YMMV)
the firewall will deny all requests, and eventually crash completely.
Further symptoms:
Using tcpcon you can see something listening on port 2000. If the telnet
session has been closed from the remote end, tcpcon reports that the
previous session is in a "closewait" state. It may be possible to do more
bad things since this entry never clears automatically (i.e. use up the rest
of system resources by opening and closing connections to this port). It can
be cleared using tcpcon.
The misbehaving NLM is CSATPXY.NLM. It is the CS Audit Trail Proxy, which is
apparently loaded by default on a BorderManager 3.5 install. From what
various people tell me, it could also be installed on non-BorderManger
Novell servers (though probably not by default) which means this
vulnerability may extend beyond BorderManager 3.5.
Novell was contacted regarding this and the answer was "unload the NLM".
Unloading the NLM does stop the slow death. Rebooting will reload the NLM so
it must be taken out of whatever loads it on boot, of course.
<RANT>
Why is the port even accessable from the outside (or the inside for that
matter)? The default BorderManager packet filtering rules indictate that
pretty much everything is being passed. Why is the NLM loaded by default?
Tcpcon shows various other services running that shouldn't be either
(chargen, echo, etc). Why? What other vulnerabilities am I missing?
</RANT>
enjoy,
ChicknMon
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: Fwd: CERT Advisory CA-2000-02, (continued)
- Re: Fwd: CERT Advisory CA-2000-02 Ari Gordon-Schlosberg (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Marc Slemko (Feb 03)
- Re: Fwd: CERT Advisory CA-2000-02 Henrik Nordstrom (Feb 05)
- Re: Fwd: CERT Advisory CA-2000-02 Byron Alley (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Len Budney (Feb 08)
- Novell GroupWise 5.5 Enhancement Pack Web Access Denial of Servic e Adam Gray (Feb 07)
- Re: Fwd: CERT Advisory CA-2000-02 Henri Torgemane (Feb 03)
- recent 'cross site scripting' CERT advisory Tim Hollebeek (Feb 04)
- Re: recent 'cross site scripting' CERT advisory Marc Slemko (Feb 05)
- Re: recent 'cross site scripting' CERT advisory Manuel Martin (Feb 08)
- Novell BorderManager 3.5 Remote Slow Death Chicken Man (Feb 08)
- Re: Novell BorderManager 3.5 Remote Slow Death Ron van Daal (Feb 09)
- Re: Novell BorderManager 3.5 Remote Slow Death Puchatek (Feb 11)
- Re: recent 'cross site scripting' CERT advisory Bill Thompson (Feb 06)
- Re: recent 'cross site scripting' CERT advisory Ari Gordon-Schlosberg (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Taneli Huuskonen (Feb 07)
- Re: recent 'cross site scripting' CERT advisory Peter W (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Mikael Olsson (Feb 08)
- Re: recent 'cross site scripting' CERT advisory Henri Torgemane (Feb 08)
- Re: 'cross site scripting' defenses flynngn () JMU EDU (Feb 06)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Feb 04)