Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Novell GroupWise Client Integer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Novell GroupWise Client Integer Overflow
Date: 29 Sep 2005 15:13:15 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Novell GroupWise Client Integer Overflow
------------------------------------------------------------------------


SUMMARY

" <http://www.novell.com/products/groupwise/index.html> Novell GroupWise 
is a complete collaboration software solution that provides information 
workers with e-mail, calendaring, instant messaging, task management, and 
contact and document management functions."

Novell GroupWise Client is vulnerable to a integer overflow that allows 
attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * GroupWise version 6.5.3

Immune Systems:
 * GroupWise version 6.5 SP5

The integer overflow bug is due to failure of the application to parse the 
saved port number stored in Windows' registery.

Proof of Concept:
To reproduce this, we have to modify the default register key of
HKEY_CURRENT_USER\Software\Novell\GroupWise\Login Parameters\TCP/IP Port

For example, set the value (11111111111111111111111111111111).

Then, when we open the application client and the client get the port 
information occur the integer overflow.

Stack Trace:
EAX C71C71C7
ECX 01F6ADC0 ASCII "10.1.1.1"
EDX 01F6ADC0 ASCII "10.1.1.1"
EBX 00000000
ESP 0012E9DC
EBP 0012E9EC
ESI 00000000
EDI 00000000
EIP 52080AB3 gwenv1.52080AB3
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 1 FS 0038 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010292 (NO,NB,NE,A,S,PO,L,LE)
ST0 empty -NAN FFFF FFFCFEFC FFFCFEFC
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00FE00FB 00FD00FB
ST3 empty -??? FFFF 00FE00FB 00FD00FB
ST4 empty -NAN FFFF FFFCFEFC FFFCFEFC
ST5 empty -??? FFFF 00FF00FC 00FE00FC
ST6 empty -??? FFFF 00000000 00000000
ST7 empty 256.00000000000000000
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

Assembly code:
52080AB3 66:8B00 MOV AX,WORD PTR DS:[EAX]

Vendor Status:
The vendor has issued a patch:  
<http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972191.htm> 
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972191.htm

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2804> 
CAN-2005-2804

Disclosure Timeline:
07/28/2005 - Initial vendor notification
07/28/2005 - Initial vendor response notify research
08/07/2005 - Second vendor response
09/27/2005 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:famato@infobyte.com.ar> 
Francisco Amato.
 
<http://support.novell.com/techcenter/search/search.do?cmd=displayKC&docType=kc&externalId=10098814html&sliceId=&dialogID=717171>
 The vendor advisory



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Novell GroupWise Client Integer Overflow, SecuriTeam <=
Previous by Date:  [NEWS] Mac OS X malloc() Local Privilege Escalation, SecuriTeam
Next by Date:  [EXPL] GNU Mailutils Imap4d 'search' Format String (Exploit, C), SecuriTeam
Previous by Thread:  [NEWS] Mac OS X malloc() Local Privilege Escalation, SecuriTeam
Next by Thread:  [EXPL] GNU Mailutils Imap4d 'search' Format String (Exploit, C), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]