Novell GroupWise Messenger <= 2.1.0 Memory Corruption



EKU-ID: 1490 CVE: OSVDB-ID:
Author: Luigi Auriemma Published: 2012-02-17 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#######################################################################
                             Luigi Auriemma
Application:  Novell GroupWise Messenger
              http://www.novell.com/products/groupwise/
Versions:     <= 2.1.0
Platforms:    Windows, Linux, NetWare
Bug:          memory corruption
Exploitation: remote, versus server
Date:         16 Feb 2012 (found 10 May 2011)
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
nmma.exe is a service running on port 8300.
The NM_A_PARM1 tag of the "login" command is the base64 of the
"username::password" string encrypted with blowfish.
This tag has the value 10 which is relative to the strings, but exists
another type defined as 12 which instead is used for particular data
("nested arrays") and when used for login->NM_A_PARM1 allows to corrupt
the heap memory:
  0042BCD9  |. 8B0B           MOV ECX,DWORD PTR DS:[EBX]        ; 3
  0042BCDB  |. 8B55 FC        MOV EDX,DWORD PTR SS:[EBP-4]      ; 3
  0042BCDE  |. C1EE 02        SHR ESI,2
  0042BCE1  |. 81C6 55555555  ADD ESI,55555555
  0042BCE7  |. 8D0476         LEA EAX,DWORD PTR DS:[ESI+ESI*2]
  0042BCEA  |. 50             PUSH EAX                          ; 0xffffffff
  0042BCEB  |. 51             PUSH ECX                          ; heap
  0042BCEC  |. 52             PUSH EDX                          ; context
  0042BCED  |. E8 5E0E0000    CALL nmma.0042CB50                ; blowfish
Through additional packets before and after the malformed one (the
service is multi-thread) may be possible to control the corruption.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/nmma_x.zip
http://www.exploit-db.com/sploits/nmma_x.zip
nmma_x 1 SERVER
#######################################################################
======
4) Fix
======
No fix.
#######################################################################