####################################################################### Luigi Auriemma Application: Novell GroupWise Messenger http://www.novell.com/products/groupwise/ Versions: <= 2.1.0 Platforms: Windows, Linux, NetWare Bug: memory corruption Exploitation: remote, versus server Date: 16 Feb 2012 (found 10 May 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Check vendor's homepage and version because this is an old advisory. ####################################################################### ====== 2) Bug ====== nmma.exe is a service running on port 8300. The NM_A_PARM1 tag of the "login" command is the base64 of the "username::password" string encrypted with blowfish. This tag has the value 10 which is relative to the strings, but exists another type defined as 12 which instead is used for particular data ("nested arrays") and when used for login->NM_A_PARM1 allows to corrupt the heap memory: 0042BCD9 |. 8B0B MOV ECX,DWORD PTR DS:[EBX] ; 3 0042BCDB |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] ; 3 0042BCDE |. C1EE 02 SHR ESI,2 0042BCE1 |. 81C6 55555555 ADD ESI,55555555 0042BCE7 |. 8D0476 LEA EAX,DWORD PTR DS:[ESI+ESI*2] 0042BCEA |. 50 PUSH EAX ; 0xffffffff 0042BCEB |. 51 PUSH ECX ; heap 0042BCEC |. 52 PUSH EDX ; context 0042BCED |. E8 5E0E0000 CALL nmma.0042CB50 ; blowfish Through additional packets before and after the malformed one (the service is multi-thread) may be possible to control the corruption. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/nmma_x.zip nmma_x 1 SERVER ####################################################################### ====== 4) Fix ====== No fix. #######################################################################