#######################################################################
Luigi Auriemma
Application: Novell GroupWise Messenger
http://www.novell.com/products/groupwise/
Versions: <= 2.1.0
Platforms: Windows, Linux, NetWare
Bug: memory corruption
Exploitation: remote, versus server
Date: 16 Feb 2012 (found 10 May 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
nmma.exe is a service running on port 8300.
The NM_A_PARM1 tag of the "login" command is the base64 of the
"username::password" string encrypted with blowfish.
This tag has the value 10 which is relative to the strings, but exists
another type defined as 12 which instead is used for particular data
("nested arrays") and when used for login->NM_A_PARM1 allows to corrupt
the heap memory:
0042BCD9 |. 8B0B MOV ECX,DWORD PTR DS:[EBX] ; 3
0042BCDB |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 3
0042BCDE |. C1EE 02 SHR ESI,2
0042BCE1 |. 81C6 55555555 ADD ESI,55555555
0042BCE7 |. 8D0476 LEA EAX,DWORD PTR DS:[ESI+ESI*2]
0042BCEA |. 50 PUSH EAX ; 0xffffffff
0042BCEB |. 51 PUSH ECX ; heap
0042BCEC |. 52 PUSH EDX ; context
0042BCED |. E8 5E0E0000 CALL nmma.0042CB50 ; blowfish
Through additional packets before and after the malformed one (the
service is multi-thread) may be possible to control the corruption.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nmma_x.zip
http://www.exploit-db.com/sploits/nmma_x.zip
nmma_x 1 SERVER
#######################################################################
======
4) Fix
======
No fix.
#######################################################################