Bugtraqmailing list archives
[ISR] - Novell GroupWise Client Integer Overflow
From: Francisco Amato <famato () infobyte com ar>
Date: Tue, 27 Sep 2005 10:57:57 -0300
|||| [ISR]|| Infobyte Security Research|| www.infobyte.com.ar|| 09.27.2005||.:: SUMMARYNovell GroupWise Client Integer OverflowVersion: GroupWise 6.5.3, It is suspected that all previous versions ofGroupwise Clientare vulnerable..:: BACKGROUNDGroupWise Client is Novell's premier Intranet/Internet GroupWare solutionfor platform Windows.More info:http://www.novell.com.:: DESCRIPTION
This issue is due to a failure of the application to securely parse thesaved port number of the last authentication store in windows register.
To reproduce this, we have to modify the default register key ofHKEY_CURRENT_USER\Software\Novell\GroupWise\Login Parameters\TCP/IP PortFor example, set the value (11111111111111111111111111111111).
Then, when we open the application client and the client get the portinformation occur the integer overflow.
EAX C71C71C7ECX 01F6ADC0 ASCII "10.1.1.1"EDX 01F6ADC0 ASCII "10.1.1.1"EBX 00000000ESP 0012E9DCEBP 0012E9ECESI 00000000EDI 00000000EIP 52080AB3 gwenv1.52080AB3C 0 ES 0023 32bit 0(FFFFFFFF)P 0 CS 001B 32bit 0(FFFFFFFF)A 1 SS 0023 32bit 0(FFFFFFFF)Z 0 DS 0023 32bit 0(FFFFFFFF)S 1 FS 0038 32bit 7FFDE000(FFF)T 0 GS 0000 NULLD 0O 0 LastErr ERROR_SUCCESS (00000000)EFL 00010292 (NO,NB,NE,A,S,PO,L,LE)ST0 empty -NAN FFFF FFFCFEFC FFFCFEFCST1 empty -??? FFFF 00000000 00000000ST2 empty -??? FFFF 00FE00FB 00FD00FBST3 empty -??? FFFF 00FE00FB 00FD00FBST4 empty -NAN FFFF FFFCFEFC FFFCFEFCST5 empty -??? FFFF 00FF00FC 00FE00FCST6 empty -??? FFFF 00000000 00000000ST7 empty 256.000000000000000003 2 1 0 E S P U O Z D IFST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1Asm code line:52080AB3 66:8B00 MOV AX,WORD PTR DS:[EAX].:: VENDOR RESPONSE
Vendor advisory:http://support.novell.com/techcenter/search/search.do?cmd=displayKC&docType=kc&externalId=10098814html&sliceId=&dialogID=717171
Vendor patch:http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972191.htm.:: DISCLOSURE TIMELINE
07/28/2005 Initial vendor notification07/28/2005 Initial vendor response notify research08/07/2005 Second vendor response09/27/2005 Coordinated public disclosure.:: CREDIT
Francisco Amato is credited with discovering this vulnerability.famato][at][infobyte][dot][com][dot][ar.:: LEGAL NOTICES
Copyright (c) 2005 by [ISR] Infobyte Security Research.Permission to redistribute this alert electronically is granted as long asit is not
edited in any way unless authorized by Infobyte Security Research Response.Reprinting the whole or part of this alert in any medium other thanelectronicallyrequires permission from infobyte com ar
DisclaimerThe information in the advisory is believed to be accurate at the time ofpublishingbased on currently available information. Use of the information constitutesacceptancefor use in an AS IS condition. There are no warranties with regard to thisinformation.Neither the author nor the publisher accepts any liability for any direct,indirect, orconsequential loss or damage arising from use of, or reliance on, thisinformation.
Current thread:
- [ISR] - Novell GroupWise Client Integer OverflowFrancisco Amato (Sep 27)
- Re: [ISR] - Novell GroupWise Client Integer OverflowCrist J. Clark (Sep 27)