[20003] in bugtraq

home help back first fref pref prev next nref lref last post

def-2001-17: Navision Financials Server DoS

daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Peter_Gr=FCndl?=)
Tue Apr 3 16:07:19 2001

MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-ID:  <047e01c0bbfd$4a22d290$71002d0a@dk.defcomsec.com>
Date:         Tue, 3 Apr 2001 07:16:50 +0200
Reply-To: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
From: =?iso-8859-1?Q?Peter_Gr=FCndl?= <peter.grundl@DEFCOM.COM>
To: BUGTRAQ@SECURITYFOCUS.COM

======================================================================
                  Defcom Labs Advisory def-2001-17

                   Navision Financials Server DoS

Author: Peter Gründl <peter.grundl@defcom.com>
Release Date: 2001-04-03
======================================================================
------------------------=[Brief Description]=-------------------------
The Navision Financials Server contains a flaw that allows an attacker
to crash the service.

------------------------=[Affected Systems]=--------------------------
- Navision Financials Server V2.50 for Windows NT/2000
- Navision Financials Server V2.60 for Windows NT/2000

----------------------=[Detailed Description]=------------------------
Sending a null character followed by approx. 30k of A's to TCP port
2407 causes a buffer overflow and terminates the process (SERVER.EXE).
The overflow does not appear to be exploitable.

A smaller amount can also be used, and will silently kill the process.
This requires approx. 10 connections starting with a null character,
followed by 100+ characters.

---------------------------=[Workaround]=-----------------------------
Disallow access to TCP port 2407 from untrusted systems, and contact
Navision-Damgaard Support to obtain the patch for this problem:

http://www.navision.com/com/view.asp?documentID=258

-------------------------=[Vendor Response]=--------------------------
The issue was brought to the vendors attention on the 21st of
December, 2000. A patch was created by the vendor on the 5th of March,
2001.

======================================================================
            This release was brought to you by Defcom Labs

              labs@defcom.com             www.defcom.com
======================================================================
home help back first fref pref prev next nref lref last post