Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption

2012.02.17
Credit: Luigi Auriemma
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

####################################################################### Luigi Auriemma Application: Novell GroupWise Messenger http://www.novell.com/products/groupwise/ Versions: <= 2.1.0 Platforms: Windows, Linux, NetWare Bug: write4 Exploitation: remote, versus server Date: 16 Feb 2012 (found 10 May 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Check vendor's homepage and version because this is an old advisory. ####################################################################### ====== 2) Bug ====== nmma.exe is a service running on port 8300. The protocol is composed by fields that have particular types, for example 10 for strings or 8 for integers and so on like any RPC protocol. Through the "createsearch" command sent from a valid account and a type 9 value is possible to write a 0x00000000 in an arbitrary memory location: 00496E2A |> 8B5D 0C /MOV EBX,DWORD PTR SS:[EBP+C] 00496E2D |> 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 00496E30 |. 8A47 06 |MOV AL,BYTE PTR DS:[EDI+6] 00496E33 |. 81E1 FFFF0000 |AND ECX,0FFFF 00496E39 |. 3C 02 |CMP AL,2 00496E3B |. 8B5C8B 04 |MOV EBX,DWORD PTR DS:[EBX+ECX*4+4] ... 00496F3A |. C703 00000000 |MOV DWORD PTR DS:[EBX],0 ; EBX is controlled 00496F40 |. 83C3 04 |ADD EBX,4 00496F43 |. 53 |PUSH EBX 00496F44 |. 6A 20 |PUSH 20 00496F46 |. E8 5541F9FF |CALL nmma.0042B0A0 Seems that this vulnerability can be reached only with a valid account. In my PoC I have used a pre-build admin::adminpass account so remember to change the NM_A_PARM1 field if you want to use another one. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/nmma_x.zip http://www.exploit-db.com/sploits/nmma_x.zip nmma_x 3 SERVER ####################################################################### ====== 4) Fix ====== No fix. #######################################################################

References:

http://aluigi.org/poc/nmma_x.zip
http://www.exploit-db.com/sploits/nmma_x.zip


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top