Novell GroupWise Messenger <= 2.1.0 Arbitrary Memory Corruption



EKU-ID: 1489 CVE: OSVDB-ID:
Author: Luigi Auriemma Published: 2012-02-17 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#######################################################################
                             Luigi Auriemma
Application:  Novell GroupWise Messenger
              http://www.novell.com/products/groupwise/
Versions:     <= 2.1.0
Platforms:    Windows, Linux, NetWare
Bug:          write4
Exploitation: remote, versus server
Date:         16 Feb 2012 (found 10 May 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
nmma.exe is a service running on port 8300.
The protocol is composed by fields that have particular types, for
example 10 for strings or 8 for integers and so on like any RPC
protocol.
Through the "createsearch" command sent from a valid account and a type
9 value is possible to write a 0x00000000 in an arbitrary memory
location:
  00496E2A  |> 8B5D 0C        /MOV EBX,DWORD PTR SS:[EBP+C]
  00496E2D  |> 8B4D F8         MOV ECX,DWORD PTR SS:[EBP-8]
  00496E30  |. 8A47 06        |MOV AL,BYTE PTR DS:[EDI+6]
  00496E33  |. 81E1 FFFF0000  |AND ECX,0FFFF
  00496E39  |. 3C 02          |CMP AL,2
  00496E3B  |. 8B5C8B 04      |MOV EBX,DWORD PTR DS:[EBX+ECX*4+4]
  ...
  00496F3A  |. C703 00000000  |MOV DWORD PTR DS:[EBX],0     ; EBX is controlled
  00496F40  |. 83C3 04        |ADD EBX,4
  00496F43  |. 53             |PUSH EBX
  00496F44  |. 6A 20          |PUSH 20
  00496F46  |. E8 5541F9FF    |CALL nmma.0042B0A0
Seems that this vulnerability can be reached only with a valid account.
In my PoC I have used a pre-build admin::adminpass account so remember
to change the NM_A_PARM1 field if you want to use another one.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nmma_x.zip
http://www.exploit-db.com/sploits/nmma_x.zip
nmma_x 3 SERVER
#######################################################################
======
4) Fix
======
No fix.
#######################################################################