OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Richard Bartlett (richardHACKERIMMUNITY.COM)
Date: Mon Apr 02 2001 - 12:42:11 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Whilst pen testing a BorderManager 3.5 server I came across a problem
    which I have now reproduced twice, and I believe to be a
    vulnerability
    either in Novell's TCP/IP stack or in BorderManager VPN, details
    below.

    (*) One of the ports open on the outbound interface of the
    BorderManager server is 353, which allows for initial handshaking
    between VPN Client & Server to exchange the Keys.
    (*) I verified the port was open using a port scanner.
    (*) I ran the command 'for /l %%h in (1, 1, 300) do nc -d -z [server
    ip] 353' (works from Windows NT or 2000).
    (*) After running the command the port appears closed and VPN
    connections can no longer be made.
    (*) On checking the server logs it was found that after ~250
    connections are opened, the server runs out of TCP/IP connections,
    and all further connection attempts fail with the error message "No
    more TCP/IP client connections are available."
    (*) Re-loading vpn and re-initialising the system failed to resolve
    the problem, and the only way to fix the problem appeared to be to
    reboot the server.
    (*) No error messages other than those in the VPN log were found, no
    console messages warned that the service was unavailable, and there
    was no other indication of a fault.

    I have checked all information security resources including
    Novell.com and BUGTRAQ and I don't believe this is a known issue.
    I've also checked for information on how I can prevent this occurring
    using documented methods of preventing such an attack ('SET TCP
    DEFEND SYN ATTACKS', 'Tcp Connection Establishment timeout', 'Maximum
    Pending TCP Connection Requests') but I haven't been able to complete
    testing on that yet.

    Any help from Novell BM users would be appreciated. (This
    vulnerability was sent to securenovell.com under RFPolicy Thu
    15/03/01 22:41 and an automatic reply received soon after. No other
    response has since been received).

    Many thanks in advance for your co-operation,

    Richard Bartlett
    Hacker Immunity Ltd

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQA/AwUBOsi5zzLlt6EzGMC5EQJm0wCfer7DL+lVOnfn1BX8xcVmb5kpIzQAnRsE
    /Mj4ENXYkox0ep9KPE9+HgxV
    =+Pt7
    -----END PGP SIGNATURE-----