Re: Novell BorderManager 3.5 Remote Slow Death

[ronvdaal () SYNTONIC NET (Ron van Daal)]

Hello,

I experienced the same problem with several servers running NetWare 5.0
sp4 and BorderManager 3.0 (Enterprise Edition). I discovered this bug
a few months ago when doing a NMAP scan. When opening a telnet session
to TCP port 2000 and hitting enter, the NetWare server gives the same
Short Term MAlloc error you describe, with the difference that it starts
with a few million attempts to get more memory.

--
Ron van Daal          | Syntonic Internet | tel. +31(0)46-4230738
ronvdaal () syntonic net | www.syntonic.net  | fax. +31(0)46-4230739

On Wed, 9 Feb 2000, Chicken Man wrote:

> 1-27-2000   9:34:47 am:   SERVER-5.0-830  [nmID=2000A]
>     Short Term Memory Allocator is out of Memory.
>     1 attempts to get more memory failed.
>
> The telnet session will not disconnect, unless you manually close the
> connection. Over the course of two days (every few minutes or so, YMMV) the
> error will repeat, with the number of attempts steadily increasing (by
> several million each time). Eventually (again, for us it was two days, YMMV)
> the firewall will deny all requests, and eventually crash completely.

Our NetWare servers didn't crash, because I took the servers down
after noticing the MAlloc error.

> <RANT>
> Why is the port even accessable from the outside (or the inside for that
> matter)? The default BorderManager packet filtering rules indictate that
> pretty much everything is being passed. Why is the NLM loaded by default?
> Tcpcon shows various other services running that shouldn't be either
> (c27-2000   9:34:47 am:   SERVER-5.0-830  [nmID=2000A]
>     Short Term Memory Allocator is out of Memory.
>     1 attempts to get more memory failed.

I can't find any vulnerabilities in the other services (chargen,
echo, discard, etc). Try FILTCFG.NLM to disable these services.

-Ron