#######################################################################
Luigi Auriemma
Application: Novell GroupWise Messenger
http://www.novell.com/products/groupwise/
Versions: <= 2.1.0
Platforms: Windows, Linux, NetWare
Bug: write4
Exploitation: remote, versus server
Date: 16 Feb 2012 (found 10 May 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
nmma.exe is a service running on port 8300.
The protocol is composed by fields that have particular types, for
example 10 for strings or 8 for integers and so on like any RPC
protocol.
Through the "createsearch" command sent from a valid account and a type
9 value is possible to write a 0x00000000 in an arbitrary memory
location:
00496E2A |> 8B5D 0C /MOV EBX,DWORD PTR SS:[EBP+C]
00496E2D |> 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
00496E30 |. 8A47 06 |MOV AL,BYTE PTR DS:[EDI+6]
00496E33 |. 81E1 FFFF0000 |AND ECX,0FFFF
00496E39 |. 3C 02 |CMP AL,2
00496E3B |. 8B5C8B 04 |MOV EBX,DWORD PTR DS:[EBX+ECX*4+4]
...
00496F3A |. C703 00000000 |MOV DWORD PTR DS:[EBX],0 ; EBX is controlled
00496F40 |. 83C3 04 |ADD EBX,4
00496F43 |. 53 |PUSH EBX
00496F44 |. 6A 20 |PUSH 20
00496F46 |. E8 5541F9FF |CALL nmma.0042B0A0
Seems that this vulnerability can be reached only with a valid account.
In my PoC I have used a pre-build admin::adminpass account so remember
to change the NM_A_PARM1 field if you want to use another one.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nmma_x.zip
http://www.exploit-db.com/sploits/nmma_x.zip
nmma_x 3 SERVER
#######################################################################
======
4) Fix
======
No fix.
#######################################################################