NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-02

Subject: Re: Novell BorderManager 3.5 Remote Slow Death
From: Ron van Daal (ronvdaalSYNTONIC.NET)
Date: Wed Feb 09 2000 - 06:53:50 CST

Next message: Andre L. Dos Santos: "Re: Statistical Attack Against Virtual Banks"
Previous message: Matthew Firth: "Re: Novell BorderManager 3.5 Remote Slow Death"
In reply to: Chicken Man: "Novell BorderManager 3.5 Remote Slow Death"
Next in thread: Puchatek: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Ron van Daal: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Puchatek: "Re: Novell BorderManager 3.5 Remote Slow Death"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I experienced the same problem with several servers running NetWare 5.0
sp4 and BorderManager 3.0 (Enterprise Edition). I discovered this bug
a few months ago when doing a NMAP scan. When opening a telnet session
to TCP port 2000 and hitting enter, the NetWare server gives the same
Short Term MAlloc error you describe, with the difference that it starts
with a few million attempts to get more memory.

--
Ron van Daal          | Syntonic Internet | tel. +31(0)46-4230738
ronvdaalsyntonic.net | www.syntonic.net  | fax. +31(0)46-4230739
On Wed, 9 Feb 2000, Chicken Man wrote:
> 1-27-2000   9:34:47 am:   SERVER-5.0-830  [nmID=2000A]
>     Short Term Memory Allocator is out of Memory.
>     1 attempts to get more memory failed.
>
> The telnet session will not disconnect, unless you manually close the
> connection. Over the course of two days (every few minutes or so, YMMV) the
> error will repeat, with the number of attempts steadily increasing (by
> several million each time). Eventually (again, for us it was two days, YMMV)
> the firewall will deny all requests, and eventually crash completely.
Our NetWare servers didn't crash, because I took the servers down
after noticing the MAlloc error.
> <RANT>
> Why is the port even accessable from the outside (or the inside for that
> matter)? The default BorderManager packet filtering rules indictate that
> pretty much everything is being passed. Why is the NLM loaded by default?
> Tcpcon shows various other services running that shouldn't be either
> (c27-2000   9:34:47 am:   SERVER-5.0-830  [nmID=2000A]
>     Short Term Memory Allocator is out of Memory.
>     1 attempts to get more memory failed.
I can't find any vulnerabilities in the other services (chargen,
echo, discard, etc). Try FILTCFG.NLM to disable these services.
-Ron

Next message: Andre L. Dos Santos: "Re: Statistical Attack Against Virtual Banks"
Previous message: Matthew Firth: "Re: Novell BorderManager 3.5 Remote Slow Death"
In reply to: Chicken Man: "Novell BorderManager 3.5 Remote Slow Death"
Next in thread: Puchatek: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Ron van Daal: "Re: Novell BorderManager 3.5 Remote Slow Death"
Reply: Puchatek: "Re: Novell BorderManager 3.5 Remote Slow Death"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]