Pervasive SQL DoS Vulnerability in NetWare 6.0 and NetWare 6.5

  • 3174344
  • 24-Oct-2006
  • 27-Apr-2012

Environment

Novell NetWare 6.5
Novell NetWare 6.0
Nessus Vulnerability Scanner Version 3.03
NWMKDE.NLM Version 7.94 December 11,2001
BTCPCOM.NLM Version 7.90 July 9,2003
ABEND: Page Fault Processor Exception in LIBC.NLM|strlen when running Nessus Security Scan

Situation

Running a Nessus scan against a NetWare 6.0 or NetWare 6.5 server may result in the server abending.

COPY OF ABEND.LOG
---/CUT/---
Server SERVERA halted Tuesday, September 26, 2006 12:43:00.024 pm
Abend 1 on P00: Server-5.60.05: Page Fault Processor Exception (Error code 00000000)

Registers:
CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
EAX = 831D0000 EBX = 831D7858 ECX = 00000000 EDX = CF17F7A6
ESI = D6612F6E EDI = 00000000 EBP = 831D7820 ESP = 831D7454
EIP = C8C97A85 FLAGS = 00010246
C8C97A85 66AD LODSW
EIP in LIBC.NLM at code start +00081A85h
Access Location: 0xD6612F6E

The violation occurred while processing the following instruction:
C8C97A85 66AD LODSW
C8C97A87 84C0 TEST AL,AL
C8C97A89 7408 JZ C8C97A93
C8C97A8B 41 INC ECX
C8C97A8C 84E4 TEST AH,AH
C8C97A8E 7403 JZ C8C97A93
C8C97A90 41 INC ECX
C8C97A91 EBF2 JMP C8C97A85
C8C97A93 8BC1 MOV EAX,ECX
C8C97A95 5E POP ESI

Running process: BTCPCOM.NLM 10 Process
Thread Owned by NLM: BTCPCOM.NLM
Stack pointer: 831D7C94
OS Stack limit: 831D1D60
Scheduling priority: 67371008
Wait state: 5050030 Blocked on Semaphore
Stack: --D6612F6E ?
CF136E40 (NWMKDE.NLM|SetMkdeIDVector+3260)
--D6612F6E ?
.
.
Additional Information:
The CPU encountered a problem executing code in LIBC.NLM. The problem may be in that module or in data passed to that module by a process owned by BTCPCOM.NLM.

NWMKDE.NLM NWMKDE.NLM v7.94.251.000
Version 7.94 December 11, 2001
Code Address: CF129000h Length: 00053D55h
Data Address: CF17E000h Length: 0000F784h
BTCPCOM.NLM BTCPCOM.NLM v7.90.000, Build 253
Version 7.90 July 9, 2003
Code Address: 82FF6000h Length: 00004450h
Data Address: 82FFC000h Length: 00000CECh
---/CUT/---

Resolution

NetWare 6.0 and NetWare 6.5 Servers ship with Pervasive SQL 2000i Version 7.9.4 integrated in with the operating system.
On NetWare 6.0 and NetWare 6.5 the following setting under the MicroKernel section of the SYS:SYSTEM\BTI.CFG needs to be modified:
"Validate Request=YES"
The default is NO.
After changing this it is necessary to restart the server.
SAMPLE of SYS:\SYSTEM\BTI.CFG
---/CUT/---
[MicroKernel]
CacheSize=2048
MaxFiles=50
MaxCursors=200
BalancedTrees=NO
ForceFileVersion=0700
SystemData=YES
MaxDatabases=10
Logging=NO
CompressedBufferSize=5
ExtendedBufferSize=16
MergeSortBufferSize=0
MaxRecSize=63
TransDurability=YES
TransLogBufferSize=256
TransLogFileSize=512
SysTransBundleLimit=65535
SysTransTimeLimit=10000
MaxClients=30
BackgroundThreads=4
WaitLockTimeout=15
TransLogDirectory=SYS:\SYSTEM\MKDE\LOG
Trace=NO
TraceFile=SYS:SYSTEM\MKDE.TRA
TraceDataBufferLength=128
TraceKeyBufferLength=128
TraceOpsList=ALL
Validate Request=YES
LoadRouter=NO
RouterCommBufferSize=16
Use FileIO Mutex=NO
---/CUT/---

If a newer version of Pervasive SQL has been installed on the server, i.e. Pervasive Version 8 or 9 the setting is located in the SYS:ETC\PSRGSTRY.INI under:

[PS_HKEY_CONFIG\Software\Pervasive
Software\MicroKernel Server Engine\Version 9\Settings]
Validate Request=YES

After changing this it is also necessary to restart the server.
When a bad packet is detected it's blocked and entry will be made in the SYS:\SYSTEM\PVSW.LOG.
SAMPLE OF BAD PACKET ENTRY LOGGED IN PVSW.LOG
---/CUT/---
10- 21- 2006 12:43:10 SERVERA An invalid request was received.
10- 21- 2006 12:43:10 SERVERA 80447ac6: 51 00 00 00 03 5b 20 00 00 00 00 00 00 00 00 00
10- 21- 2006 12:43:10 SERVERA 80447ad6: 00 00 04 00 51 00 00 00 00 02 39 00 04 0b 00 00
10- 21- 2006 12:43:10 SERVERA 80447ae6: d0 3f 00 00 d0 3f 00 00 00 40 0000 70 00 00 00
10- 21- 2006 12:43:10 SERVERA 80447af6: 4e 45 53 53 55 53 20 20 20 20 20 20 20 20 20 20
10- 21- 2006 12:43:10 SERVERA 80447b06: 08 49 32 33 35 33 33 00 09 70 64 62 6d 73 72 76
---/CUT/---
NetWare 6.5 SP6 will be shipped with the "Validate Request=YES" parameter set by default.

Status

Reported to Engineering
Security Alert
Top Issue

Additional Information

This vulnerability has been assignedthe number: CVE‑2006‑5329.
The problem Nessus plugin (sapdb_detect.nasl version 1.10) that was causing the abend was fixed by Tenable on September 21 2006.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.