Novell GroupWise Messenger Client <= 2.1.0 Unicode Stack Overflow



EKU-ID: 1491 CVE: OSVDB-ID:
Author: Luigi Auriemma Published: 2012-02-17 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#######################################################################
                             Luigi Auriemma
Application:  Novell GroupWise Messenger client
              http://www.novell.com/products/groupwise/
Versions:     <= 2.1.0
Platforms:    Windows, Linux, NetWare
Bug:          unicode stack overflow
Exploitation: remote, versus server
Date:         16 Feb 2012 (found 09 May 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
Unicode stack overflow in the building of a message while handling a
nmx file:
  0048D4DC   51               PUSH ECX                      ; our "folder name" string
  0048D4DD   8D5424 0C        LEA EDX,DWORD PTR SS:[ESP+C]
  0048D4E1   50               PUSH EAX                      ; "Importing into %s."
  0048D4E2   52               PUSH EDX                      ; stack buffer
  0048D4E3   FF15 287D5400    CALL DWORD PTR DS:[547D28]    ; USER32.wsprintfW
The vulnerability is exploitable through an nmx file and it's possible
to automate the exploitation using the "nim" URL protocol inside a web
browser and the "import" command with "filename" pointing to the web
server or UNC path hosting the malformed nmx file.
#######################################################################
===========
3) The Code
===========
This scenario can be tested using the provided html proof-of-concept
after having replaced the "SERVER" string with the name of the server
where is located the nim_1.nmx file:
  http://aluigi.org/poc/nim_1.zip
  http://www.exploit-db.com/sploits/18490.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################