#######################################################################
Luigi Auriemma
Application: Novell GroupWise Messenger client
http://www.novell.com/products/groupwise/
Versions: <= 2.1.0
Platforms: Windows, Linux, NetWare
Bug: unicode stack overflow
Exploitation: remote, versus server
Date: 16 Feb 2012 (found 09 May 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
Unicode stack overflow in the building of a message while handling a
nmx file:
0048D4DC 51 PUSH ECX ; our "folder name" string
0048D4DD 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0048D4E1 50 PUSH EAX ; "Importing into %s."
0048D4E2 52 PUSH EDX ; stack buffer
0048D4E3 FF15 287D5400 CALL DWORD PTR DS:[547D28] ; USER32.wsprintfW
The vulnerability is exploitable through an nmx file and it's possible
to automate the exploitation using the "nim" URL protocol inside a web
browser and the "import" command with "filename" pointing to the web
server or UNC path hosting the malformed nmx file.
#######################################################################
===========
3) The Code
===========
This scenario can be tested using the provided html proof-of-concept
after having replaced the "SERVER" string with the name of the server
where is located the nim_1.nmx file:
http://aluigi.org/poc/nim_1.zip
http://www.exploit-db.com/sploits/18490.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
