Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Novell Groupwise Messenger 2.1.0 - Arbitrary Memory Corruption

🗓️ 16 Feb 2012 00:00:00Reported by Luigi AuriemmaType 
exploitpack
 exploitpack👁 11 Views

Novell GroupWise Messenger 2.1.0 Arbitrary Memory Corruption vulnerability via nmma.exe service on port 830

Code
#######################################################################

                             Luigi Auriemma

Application:  Novell GroupWise Messenger
              http://www.novell.com/products/groupwise/
Versions:     <= 2.1.0
Platforms:    Windows, Linux, NetWare
Bug:          write4
Exploitation: remote, versus server
Date:         16 Feb 2012 (found 10 May 2011)
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Check vendor's homepage and version because this is an old advisory.


#######################################################################

======
2) Bug
======


nmma.exe is a service running on port 8300.

The protocol is composed by fields that have particular types, for
example 10 for strings or 8 for integers and so on like any RPC
protocol.

Through the "createsearch" command sent from a valid account and a type
9 value is possible to write a 0x00000000 in an arbitrary memory
location:

  00496E2A  |> 8B5D 0C        /MOV EBX,DWORD PTR SS:[EBP+C]
  00496E2D  |> 8B4D F8         MOV ECX,DWORD PTR SS:[EBP-8]
  00496E30  |. 8A47 06        |MOV AL,BYTE PTR DS:[EDI+6]
  00496E33  |. 81E1 FFFF0000  |AND ECX,0FFFF
  00496E39  |. 3C 02          |CMP AL,2
  00496E3B  |. 8B5C8B 04      |MOV EBX,DWORD PTR DS:[EBX+ECX*4+4]
  ...
  00496F3A  |. C703 00000000  |MOV DWORD PTR DS:[EBX],0     ; EBX is controlled
  00496F40  |. 83C3 04        |ADD EBX,4
  00496F43  |. 53             |PUSH EBX
  00496F44  |. 6A 20          |PUSH 20
  00496F46  |. E8 5541F9FF    |CALL nmma.0042B0A0

Seems that this vulnerability can be reached only with a valid account.
In my PoC I have used a pre-build admin::adminpass account so remember
to change the NM_A_PARM1 field if you want to use another one.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/nmma_x.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/18488.zip (nmma_x.zip)

nmma_x 3 SERVER


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Feb 2012 00:00Current
0.3Low risk
Vulners AI Score0.3
novell groupwise messengerarbitrary memory corruptionnmma.exeremote exploitationserverluigi auriemmawindowslinuxnetwareexploitvulnerabilityprotocolmemory location
11