Advisory Details

August 29th, 2012

(0Day) Novell File Reporter NFRAgent.exe VOL Tag Remote Code Execution Vulnerability

ZDI-12-167
ZDI-CAN-1318

CVE ID
CVSS SCORE 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED VENDORS Novell
AFFECTED PRODUCTS File Reporter
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell File Reporter Agent. Authentication is not required to exploit this vulnerability.

The specific flaw exists within NFRAgent.exe which communicates with the Agent component over HTTPS on TCP port 3037. When parsing tags inside the VOL element, the process performs insufficient bounds checking on user-supplied data prior to copying it into a fixed-length buffer on the stack. This vulnerability can result in remote code execution under the context of the SYSTEM account.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline.

-- Mitigation:
Given the stated purpose of File Reporter, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the Novell File Reporter Agent should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles.


DISCLOSURE TIMELINE
  • 2011-10-21 - Vulnerability reported to vendor
  • 2012-08-29 - Coordinated public release of advisory
CREDIT Tenable Network Security
BACK TO ADVISORIES