Novell Groupwise Messenger 2.1.0 – Arbitrary Memory Corruption

• Exploit Database
• 12 阅读

• 作者： Luigi Auriemma
  日期： 2012-02-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18488/

• #######################################################################
  
   Luigi Auriemma
  
  Application:Novell GroupWise Messenger
  http://www.novell.com/products/groupwise/
  Versions: <= 2.1.0
  Platforms:Windows, Linux, NetWare
  Bug:write4
  Exploitation: remote, versus server
  Date: 16 Feb 2012 (found 10 May 2011)
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  Check vendor's homepage and version because this is an old advisory.
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  nmma.exe is a service running on port 8300.
  
  The protocol is composed by fields that have particular types, for
  example 10 for strings or 8 for integers and so on like any RPC
  protocol.
  
  Through the "createsearch" command sent from a valid account and a type
  9 value is possible to write a 0x00000000 in an arbitrary memory
  location:
  
  00496E2A|> 8B5D 0C/MOV EBX,DWORD PTR SS:[EBP+C]
  00496E2D|> 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
  00496E30|. 8A47 06|MOV AL,BYTE PTR DS:[EDI+6]
  00496E33|. 81E1 FFFF0000|AND ECX,0FFFF
  00496E39|. 3C 02|CMP AL,2
  00496E3B|. 8B5C8B 04|MOV EBX,DWORD PTR DS:[EBX+ECX*4+4]
  ...
  00496F3A|. C703 00000000|MOV DWORD PTR DS:[EBX],0 ; EBX is controlled
  00496F40|. 83C3 04|ADD EBX,4
  00496F43|. 53 |PUSH EBX
  00496F44|. 6A 20|PUSH 20
  00496F46|. E8 5541F9FF|CALL nmma.0042B0A0
  
  Seems that this vulnerability can be reached only with a valid account.
  In my PoC I have used a pre-build admin::adminpass account so remember
  to change the NM_A_PARM1 field if you want to use another one.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/poc/nmma_x.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18488.zip (nmma_x.zip)
  
  nmma_x 3 SERVER
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################