Novell GroupWise Messenging Agent Accept-Language Header Remote Overflow

2006-04-13T05:17:35
ID OSVDB:24617
Type osvdb
Reporter CIRT(advisory@cirt.dk)
Modified 2006-04-13T05:17:35

Description

Vulnerability Description

A remote overflow exists in Novell GroupWise Messenger. The Novell Messaging Agent service fails to check length during the parsing of long parameters within the Accept-Language header resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution in the context of SYSTEM or superuser.

Solution Description

Upgrade to GroupWise Messenger version 2.0 Public Beta 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

A remote overflow exists in Novell GroupWise Messenger. The Novell Messaging Agent service fails to check length during the parsing of long parameters within the Accept-Language header resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution in the context of SYSTEM or superuser.

References:

Vendor Specific Solution URL: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm Security Tracker: 1015911 Secunia Advisory ID:19663 Other Advisory URL: http://cirt.dk/advisories/cirt-42-advisory.txt Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-008.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0264.html Mail List Post: http://archives.neohapsis.com/archives/dailydave/2006-q2/0051.html Keyword: ZDI-06-008 Keyword: TID10100861 Keyword: port 8300/tcp Generic Informational URL: http://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.html Generic Exploit URL: http://www.milw0rm.com/exploits/1679 FrSIRT Advisory: ADV-2006-1355 CVE-2006-0992 Bugtraq ID: 17503