Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1999: DoS with Netware 4.x's TTS

DoS with Netware 4.x's TTS

Simple Nomad (thegnomeNMRC.ORG)
Wed, 12 May 1999 14:18:59 -0500


                          Nomad Mobile Research Centre
                                 A D V I S O R Y
                        Simple Nomad [thegnomenmrc.org]

                              Platform : Netware 4.x
                           Application : NDS
                              Severity : High


It is possible to overflow the Transaction Tracking System (TTS) built into
Novell Netware and possibly crash multiple servers.

Tested configuration

The testing was done with the following configuration:

Netware 4.11, Service Pack 5B

Also confirmed on Netware 4.1. All systems had 64MB RAM and 1 GB drive space.

Bug(s) report

The Transaction Tracking System (TTS) is used by Novell Netware to help
preserve the integrity of data during a system crash. If a transaction is in
the process of being written to the hard drive when the system crashes, upon
reboot the partial transaction is backed out preserving the integrity of the
original data. Administrators can optionally flag a file with the TTS flag
to add this protection (typically done with databases, especially those that
have no rollback features).

TTS by default tracks 10,000 transactions, and each instance uses a small
amount of memory. If a burst of transactions are sent to the server and the
available memory is exhausted, TTS will disable. While TTS is disabled, no
updates can be made to Netware Directory Services. This can impact any program
or process that updates NDS, such as login. In extreme overrun cases, such as
very large simultaneous (or near simultaneous, actually) transactions, memory
will be depleted quick enough to crash the server.

This is not entirely uncommon, as any large burst of traffic updating NDS
will cause the problem, such as bringing up a server after several days of
downtime that has a Directory Services replica on it. Normally this can be
corrected by increasing RAM or lowering the amount of transactions tracked
from the maximum default of 10,000 down to say 5,000 by issuing the command
SET MAXIMUM TRANSACTIONS = 5000 at the console or via ServMan, and enabling
TTS by typing ENABLE TTS at the console.

However, a malicious user with proper access can force the memory depletion
and potentially crash a server that has a replica of the NDS database. This
can lead to multiple near-simultaneous server crashes.

Of course anyone with administrative access can do this, but they could
obviously do other acts that could be just as destructive, if not more so.
What is needed is the ability to create a large number of NDS updates very
quickly. For example, if a user has the ability to create a container and
add objects to it, them that user has enough authority to potentially cause
problems to TTS. Creating a container, dropping a few hundred objects into the
container via drag-and-drop and then deleting the container should suffice.

If the server lacks a large amount of free memory, the server will quite
possibly abend. In other cases, TTS is disabled, which is a form of Denial of
Service. As the messages are sent across to other servers containing NDS
replicas, they too may crash. In our test environment we were able to crash
two servers (Netware 4.1 and Netware 4.11) with a the scenario of creating a
container, adding a few hundred users, and then deleting the container.


NMRC has heard reports of as many as a dozen servers crashing within a couple
of minutes of each other, so apply the latest Service Pack for Netware 4.x on
all servers or upgrade to Netware 5.


Novell has already been notified and they are obviously aware of the TTS
limitations (refer to the May 1997 TID 2908153 at
http://support.novell.com/cgi-bin/search/tidfinder.cgi?2908153 for an example).
Per Novell the latest patches for Netware 4.x correct the problem, and Netware
5 does not have the problem at all.

Thanks to Michel Labelle <divebchotmail.com> for notifying NMRC about this


See http://www.nmrc.org/news/ for more advisories.

    Simple Nomad    //
 thegnomenmrc.org  //  ....no rest for the Wicca'd....
    www.nmrc.org    //