扫码分享
验证:
体验盒子#######################################################################
Luigi Auriemma
Application:Novell GroupWise Messenger client
http://www.novell.com/products/groupwise/
Versions: <= 2.1.0
Platforms:Windows, Linux, NetWare
Bug:unicode stack overflow
Exploitation: remote, versus server
Date: 16 Feb 2012 (found 09 May 2011)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web:aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Check vendor's homepage and version because this is an old advisory.
#######################################################################
======
2) Bug
======
Unicode stack overflow in the building of a message while handling a
nmx file:
0048D4DC 51 PUSH ECX; our "folder name" string
0048D4DD 8D5424 0CLEA EDX,DWORD PTR SS:[ESP+C]
0048D4E1 50 PUSH EAX; "Importing into %s."
0048D4E2 52 PUSH EDX; stack buffer
0048D4E3 FF15 287D5400CALL DWORD PTR DS:[547D28]; USER32.wsprintfW
The vulnerability is exploitable through an nmx file and it's possible
to automate the exploitation using the "nim" URL protocol inside a web
browser and the "import" command with "filename" pointing to the web
server or UNC path hosting the malformed nmx file.
#######################################################################
===========
3) The Code
===========
This scenario can be tested using the provided html proof-of-concept
after having replaced the "SERVER" string with the name of the server
where is located the nim_1.nmx file:
http://aluigi.org/poc/nim_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18490.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
体验盒子
