Novell Groupwise Messenger 2.1.0 – Memory Corruption

• Exploit Database
• 11 阅读

• 作者： Luigi Auriemma
  日期： 2012-02-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18489/

• #######################################################################
  
   Luigi Auriemma
  
  Application:Novell GroupWise Messenger
  http://www.novell.com/products/groupwise/
  Versions: <= 2.1.0
  Platforms:Windows, Linux, NetWare
  Bug:memory corruption
  Exploitation: remote, versus server
  Date: 16 Feb 2012 (found 10 May 2011)
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  Check vendor's homepage and version because this is an old advisory.
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  nmma.exe is a service running on port 8300.
  
  The NM_A_PARM1 tag of the "login" command is the base64 of the
  "username::password" string encrypted with blowfish.
  
  This tag has the value 10 which is relative to the strings, but exists
  another type defined as 12 which instead is used for particular data
  ("nested arrays") and when used for login->NM_A_PARM1 allows to corrupt
  the heap memory:
  
  0042BCD9|. 8B0B MOV ECX,DWORD PTR DS:[EBX]; 3
  0042BCDB|. 8B55 FCMOV EDX,DWORD PTR SS:[EBP-4]; 3
  0042BCDE|. C1EE 02SHR ESI,2 
  0042BCE1|. 81C6 55555555ADD ESI,55555555
  0042BCE7|. 8D0476 LEA EAX,DWORD PTR DS:[ESI+ESI*2]
  0042BCEA|. 50 PUSH EAX; 0xffffffff
  0042BCEB|. 51 PUSH ECX; heap
  0042BCEC|. 52 PUSH EDX; context
  0042BCED|. E8 5E0E0000CALL nmma.0042CB50; blowfish
  
  Through additional packets before and after the malformed one (the
  service is multi-thread) may be possible to control the corruption.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/poc/nmma_x.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18489.zip (nmma_x.zip)
  
  nmma_x 1 SERVER
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################