Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Novell File Reporter contains multiple vulnerabilities
Informations
Name VU#273371 First vendor Publication 2012-11-16
Vendor VU-CERT Last vendor Modification 2012-11-16
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#273371

Novell File Reporter contains multiple vulnerabilities

Original Release date: 16 Nov 2012 | Last revised: 16 Nov 2012

Overview

Novell File Reporter 1.0.2 contains multiple vulnerabilities including a heap overflow, arbitrary file retrieval, and arbitrary file upload.

Description

The Rapid7 advisory states:

    CVE-2012-4956 - Heap Overflow
    When handling requests of name "SRS", the NFRAgent.exe fails to generate a response in a secure way, copying user controlled data into a fixed-length buffer in the heap without bounds checking. This vulnerability can result in remote code execution under the context of the SYSTEM account.

    CVE-2012-4957 - Arbitrary File Retrieval
    When handling requests on "/FSF/CMD" for records with NAME "SRS", OPERATION "4" and CMD "103" the NFRAgent.exe allows a remote unauthenticated user to retrieve arbitrary remote files, specified with the tag "PATH", with SYSTEM privileges.

    CVE-2012-4958 - Arbitrary File Retrieval
    When handling requests on "/FSF/CMD" for records with NAME "FSFUI" and UICMD "126" the NFRAgent.exe allows a remote unauthenticated user to retrieve arbitrary remote text files, specified with the tag "FILE", with SYSTEM privileges.

    CVE-2012-4959 - Arbitrary File Upload
    When handling requests on "/FSF/CMD" for records with NAME "FSFUI" and UICMD "130" the NFRAgent.exe allows a remote unauthenticated user to upload files to the host, specified with the tag "FILE", with SYSTEM privileges. It allows to execute remote code with SYSTEM privileges.


Additional details may be found in the Rapid7 blog post entitled "New 0day Exploits: Novell File Reporter Vulnerabilities".

Impact

A remote unauthenticated attacker may be able to execute code, retrieve arbitrary files, and upload arbitrary files to the host.

Solution

We are currently unaware of a practical solution to this problem. Please consider the following workaround.

Restrict Access

Deploy appropriate firewall rules so only trusted networks and hosts can communicate with the Novell File Reporter agent.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Novell, Inc.Affected-16 Nov 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.8AV:N/AC:M/Au:N/C:C/I:P/A:N
Temporal7.4E:H/RL:W/RC:C
Environmental5.6CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959

Credit

Thanks to Juan Vazquez for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2012-4956CVE-2012-4957CVE-2012-4958CVE-2012-4959
  • Date Public:16 Nov 2012
  • Date First Published:16 Nov 2012
  • Date Last Updated:16 Nov 2012
  • Document Revision:14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/273371

CWE : Common Weakness Enumeration

% Id Name
75 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)
25 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

SAINT Exploits

Description Link
Novell File Reporter FSFUI File Upload More info here

ExploitDB Exploits

id Description
2012-12-12 Novell File Reporter Agent XML Parsing Remote Code Execution Vulnerability (0...
2012-11-19 NFR Agent FSFUI Record File Upload RCE

OpenVAS Exploits

Date Description
2012-12-12 Name : Novell File Reporter 'NFRAgent.exe' Multiple Security Vulnerabilities
File : nvt/gb_novell_file_reporter_56579.nasl

Snort® IPS/IDS

Date Description
2014-01-10 Novell File Reporter FSFUI request directory traversal attempt
RuleID : 24767 - Revision : 6 - Type : SERVER-WEBAPP
2014-01-10 Novell File Reporter SRS request arbitrary file download attempt
RuleID : 24766 - Revision : 6 - Type : SERVER-WEBAPP
2014-01-10 Novell File Reporter SRS request heap overflow attempt
RuleID : 24765 - Revision : 6 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2012-11-20 Name : An application running on the remote host has an arbitrary file download vuln...
File : novell_file_reporter_agent_download.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
Date Informations
2014-02-17 12:07:40
  • Multiple Updates
2012-11-29 21:21:48
  • Multiple Updates
2012-11-29 21:20:25
  • Multiple Updates
2012-11-20 00:21:28
  • Multiple Updates
2012-11-19 00:20:51
  • Multiple Updates
2012-11-16 21:19:26
  • First insertion