Novell Groupwise Messenger Client 2.1.0 - Unicode Stack Overflow

EDB-ID:

18490

CVE:





Platform:

Windows

Date:

2012-02-16


#######################################################################

                             Luigi Auriemma

Application:  Novell GroupWise Messenger client
              http://www.novell.com/products/groupwise/
Versions:     <= 2.1.0
Platforms:    Windows, Linux, NetWare
Bug:          unicode stack overflow
Exploitation: remote, versus server
Date:         16 Feb 2012 (found 09 May 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Check vendor's homepage and version because this is an old advisory.


#######################################################################

======
2) Bug
======


Unicode stack overflow in the building of a message while handling a
nmx file:

  0048D4DC   51               PUSH ECX                      ; our "folder name" string
  0048D4DD   8D5424 0C        LEA EDX,DWORD PTR SS:[ESP+C]
  0048D4E1   50               PUSH EAX                      ; "Importing into %s."
  0048D4E2   52               PUSH EDX                      ; stack buffer
  0048D4E3   FF15 287D5400    CALL DWORD PTR DS:[547D28]    ; USER32.wsprintfW

The vulnerability is exploitable through an nmx file and it's possible
to automate the exploitation using the "nim" URL protocol inside a web
browser and the "import" command with "filename" pointing to the web
server or UNC path hosting the malformed nmx file.


#######################################################################

===========
3) The Code
===========


This scenario can be tested using the provided html proof-of-concept
after having replaced the "SERVER" string with the name of the server
where is located the nim_1.nmx file:

  http://aluigi.org/poc/nim_1.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18490.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################