Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Novell Groupwise Messenger 2.1.0 - Memory Corruption

🗓️ 16 Feb 2012 00:00:00Reported by Luigi AuriemmaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 32 Views

Novell Groupwise Messenger 2.1.0 - Memory Corruption. Service nmma.exe on port 8300 allows remote memory corruption using a specific tag in the "login" command

Code
#######################################################################

                             Luigi Auriemma

Application:  Novell GroupWise Messenger
              http://www.novell.com/products/groupwise/
Versions:     <= 2.1.0
Platforms:    Windows, Linux, NetWare
Bug:          memory corruption
Exploitation: remote, versus server
Date:         16 Feb 2012 (found 10 May 2011)
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Check vendor's homepage and version because this is an old advisory.


#######################################################################

======
2) Bug
======


nmma.exe is a service running on port 8300.

The NM_A_PARM1 tag of the "login" command is the base64 of the
"username::password" string encrypted with blowfish.

This tag has the value 10 which is relative to the strings, but exists
another type defined as 12 which instead is used for particular data
("nested arrays") and when used for login->NM_A_PARM1 allows to corrupt
the heap memory:

  0042BCD9  |. 8B0B           MOV ECX,DWORD PTR DS:[EBX]        ; 3
  0042BCDB  |. 8B55 FC        MOV EDX,DWORD PTR SS:[EBP-4]      ; 3
  0042BCDE  |. C1EE 02        SHR ESI,2                         
  0042BCE1  |. 81C6 55555555  ADD ESI,55555555
  0042BCE7  |. 8D0476         LEA EAX,DWORD PTR DS:[ESI+ESI*2]
  0042BCEA  |. 50             PUSH EAX                          ; 0xffffffff
  0042BCEB  |. 51             PUSH ECX                          ; heap
  0042BCEC  |. 52             PUSH EDX                          ; context
  0042BCED  |. E8 5E0E0000    CALL nmma.0042CB50                ; blowfish

Through additional packets before and after the malformed one (the
service is multi-thread) may be possible to control the corruption.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/nmma_x.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18489.zip (nmma_x.zip)

nmma_x 1 SERVER


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Feb 2012 00:00Current
7.4High risk
Vulners AI Score7.4
novell groupwise messengermemory corruptionremote exploitationluigi auriemmawindowslinuxnetwareblowfish encryptionmulti-threadvulnerabilityexploit code
32