Novell Groupwise Messenger 2.1.0 - Arbitrary Memory Corruption

EDB-ID:

18488

CVE:


EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2012-02-16

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  Novell GroupWise Messenger
              http://www.novell.com/products/groupwise/
Versions:     <= 2.1.0
Platforms:    Windows, Linux, NetWare
Bug:          write4
Exploitation: remote, versus server
Date:         16 Feb 2012 (found 10 May 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Check vendor's homepage and version because this is an old advisory.


#######################################################################

======
2) Bug
======


nmma.exe is a service running on port 8300.

The protocol is composed by fields that have particular types, for
example 10 for strings or 8 for integers and so on like any RPC
protocol.

Through the "createsearch" command sent from a valid account and a type
9 value is possible to write a 0x00000000 in an arbitrary memory
location:

  00496E2A  |> 8B5D 0C        /MOV EBX,DWORD PTR SS:[EBP+C]
  00496E2D  |> 8B4D F8         MOV ECX,DWORD PTR SS:[EBP-8]
  00496E30  |. 8A47 06        |MOV AL,BYTE PTR DS:[EDI+6]
  00496E33  |. 81E1 FFFF0000  |AND ECX,0FFFF
  00496E39  |. 3C 02          |CMP AL,2
  00496E3B  |. 8B5C8B 04      |MOV EBX,DWORD PTR DS:[EBX+ECX*4+4]
  ...
  00496F3A  |. C703 00000000  |MOV DWORD PTR DS:[EBX],0     ; EBX is controlled
  00496F40  |. 83C3 04        |ADD EBX,4
  00496F43  |. 53             |PUSH EBX
  00496F44  |. 6A 20          |PUSH 20
  00496F46  |. E8 5541F9FF    |CALL nmma.0042B0A0

Seems that this vulnerability can be reached only with a valid account.
In my PoC I have used a pre-build admin::adminpass account so remember
to change the NM_A_PARM1 field if you want to use another one.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/nmma_x.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18488.zip (nmma_x.zip)

nmma_x 3 SERVER


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services