Novell NetWare 5.1 sp3 после сканирования программой Shadow Security Scanner валится в абенд и перегружается.
Сканер находит две уязвимости:
1) IP Services : SNMP Remote Access
2) DoS Bugs : Multiple Vendor SNMP Request Handling Vulnerabilities
После чего на сервере вываливается две критические ошибки и он перегружается...
вот два куска abend.log:
1) Server ATS halted Friday, October 31, 2003 4:27:17 pm
Abend 1 on P00: Server-5.00j: Page Fault Processor Exception (Error code 00000002)
Registers:
CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
EAX = D083B55E EBX = D083B55F ECX = 00000000 EDX = D1F7BF0C
ESI = 7FFFFC6D EDI = D2857004 EBP = 00000348 ESP = D1F7BE98
EIP = D282F8F6 FLAGS = 00010282
D282F8F6 894FFC MOV [EDI-04]=?,ECX
EIP in SNMP.NLM at code start +000008F6h
Access Location: 0xD2857000
The violation occurred while processing the following instruction:
D282F8F6 894FFC MOV [EDI-04],ECX
D282F8F9 85F6 TEST ESI,ESI
D282F8FB 7FD1 JG D282F8CE
D282F8FD 8B4C2418 MOV ECX,[ESP+18]
D282F901 BE28000000 MOV ESI,00000028
D282F906 8B5904 MOV EBX,[ECX+04]
D282F909 31D2 XOR EDX,EDX
D282F90B 89D8 MOV EAX,EBX
D282F90D F7F6 DIV ESI
D282F90F 89D8 MOV EAX,EBX
Running process: Server 03 Process
Created by: NetWare Application
Thread Owned by NLM: SERVER.NLM
Stack pointer: D1F7BF88
OS Stack limit: D1F78040
Scheduling priority: 67371008
Wait state: 50500F0 (Waiting for work)
2) Server ATS halted Friday, October 31, 2003 4:28:22 pm
Abend 2 on P00: Server-5.00j: Page Fault Processor Exception (Error code 00000000)
Registers:
CS = 0008 DS = 0010 ES = 0010 FS = 0010 GS = 0010 SS = 0010
EAX = D2856000 EBX = D27B24E4 ECX = D27B24E4 EDX = 00000001
ESI = D27B2500 EDI = 00000018 EBP = D48D1B70 ESP = D48D1B54
EIP = FC01D00B FLAGS = 00210006
FC01D00B 8B5204 MOV EDX,[EDX+04]=?
EIP in SERVER.NLM at code start +0001D00Bh
Access Location: 0x00000005
The violation occurred while processing the following instruction:
FC01D00B 8B5204 MOV EDX,[EDX+04]
FC01D00E 8B4814 MOV ECX,[EAX+14]
FC01D011 895010 MOV [EAX+10],EDX
FC01D014 41 INC ECX
FC01D015 8B5010 MOV EDX,[EAX+10]
FC01D018 894814 MOV [EAX+14],ECX
FC01D01B 85D2 TEST EDX,EDX
FC01D01D 750C JNZ FC01D02B
FC01D01F 8B4004 MOV EAX,[EAX+04]
FC01D022 8906 MOV [ESI],EAX
Running process: NLSTRAPNLM 2 Process
Created by: NetWare Application
Thread Owned by NLM: NLSTRAP.NLM
Stack pointer: D48D1C28
OS Stack limit: D48CDCC0
CPU 0 (Thread D48CB660) is in a NO SLEEP state
Scheduling priority: 67371008
Wait state: 5050030 (Blocked on Semaphore)
Мы так поняли, что надо прикрывать SNMP, но как это сделать? Ибо любой любитель посканерить сетку может завалить сервак на раз-два...