OSVDB ID: 24617

Title: Novell GroupWise Messenging Agent Accept-Language Header Remote Overflow

Info

Disclosure

Apr 13, 2006

Discovery

Mar 16, 2006

Dates

Exploit

Apr 15, 2006

Solution

Apr 13, 2006

Description

A remote overflow exists in Novell GroupWise Messenger. The Novell Messaging Agent service fails to check length during the parsing of long parameters within the Accept-Language header resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution in the context of SYSTEM or superuser.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Upgrade
Exploit: Exploit Public, Exploit Private, Exploit Commercial
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to GroupWise Messenger version 2.0 Public Beta 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Novell, Inc.	GroupWise Messenger	2.0
		2.0 Public Beta 2

References

Security Tracker: 1015911
Milw0rm: 1679
Exploit Database: 1679
Bugtraq ID: 17503
Secunia Advisory ID: 19663
CVE ID: 2006-0992 (see also: NVD)
SCIP VulDB ID: 2152
Metasploit ID: 24617
VUPEN Advisory: ADV-2006-1355
Mail List Post: http://archives.neohapsis.com/archives/dailydave/2006-q2/0051.html
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0264.html
Other Advisory URL: http://cirt.dk/advisories/cirt-42-advisory.txt
http://www.zerodayinitiative.com/advisories/ZDI-06-008.html
Generic Exploit URL: http://immunitysec.com
http://www.saintcorporation.com/cgi-bin/exploit_info/groupwise_messenger_accept_language
Generic Informational URL: http://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.html
Vendor Specific Solution URL: http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm
Keyword: port 8300/tcp TID10100861 ZDI-06-008

Credit

CIRT - advisorycirt.dk - Danish Computer Incident Response Team

Direct URL: http://osvdb.org/24617

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Novell, Inc.

GroupWise Messenger

References

Credit