Jump to content
The_Arhitect

Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption

By The_Arhitect, in Exploituri

Recommended Posts

The_Arhitect Newbie

The_Arhitect

Posted
Posted

Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption

#######################################################################
                             Luigi Auriemma
Application:  Novell GroupWise Messenger
              http://www.novell.com/products/groupwise/
Versions:     <= 2.1.0
Platforms:    Windows, Linux, NetWare
Bug:          write4
Exploitation: remote, versus server
Date:         16 Feb 2012 (found 10 May 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
nmma.exe is a service running on port 8300.
The protocol is composed by fields that have particular types, for
example 10 for strings or 8 for integers and so on like any RPC
protocol.
Through the "createsearch" command sent from a valid account and a type
9 value is possible to write a 0x00000000 in an arbitrary memory
location:
  00496E2A  |> 8B5D 0C        /MOV EBX,DWORD PTR SS:[EBP+C]
  00496E2D  |> 8B4D F8         MOV ECX,DWORD PTR SS:[EBP-8]
  00496E30  |. 8A47 06        |MOV AL,BYTE PTR DS:[EDI+6]
  00496E33  |. 81E1 FFFF0000  |AND ECX,0FFFF
  00496E39  |. 3C 02          |CMP AL,2
  00496E3B  |. 8B5C8B 04      |MOV EBX,DWORD PTR DS:[EBX+ECX*4+4]
  ...
  00496F3A  |. C703 00000000  |MOV DWORD PTR DS:[EBX],0     ; EBX is controlled
  00496F40  |. 83C3 04        |ADD EBX,4
  00496F43  |. 53             |PUSH EBX
  00496F44  |. 6A 20          |PUSH 20
  00496F46  |. E8 5541F9FF    |CALL nmma.0042B0A0
Seems that this vulnerability can be reached only with a valid account.
In my PoC I have used a pre-build admin::adminpass account so remember
to change the NM_A_PARM1 field if you want to use another one.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nmma_x.zip
http://www.exploit-db.com/sploits/nmma_x.zip
nmma_x 3 SERVER
#######################################################################
======
4) Fix
======
No fix.
#######################################################################

Sursa: Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...