####################################################################### Luigi Auriemma Application: Novell GroupWise Messenger http://www.novell.com/products/groupwise/ Versions: <= 2.1.0 Platforms: Windows, Linux, NetWare Bug: data leaking Exploitation: remote, versus server Date: 25 Oct 2011 (found 10 May 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Check vendor's homepage and version because this is an old advisory. ####################################################################### ====== 2) Bug ====== nmma.exe is a service running on port 8300. The protocol is composed by fields that have particular types, for example 10 for strings or 8 for integers and so on like any RPC protocol. With some commands when we use types different than those expected by the server (type 8 instead of 10) it's possible to force the reading and usage of arbitrary memory locations that will be returned to the user. For example a scenario is the possibility of reading any string in the memory at arbitrary locations included the username and password of the admin account used to access the eDirectory server and stored in a static buffer allowing the attacker to gain full control of the whole eDirectory server. ####################################################################### =========== 3) The Code =========== Proof-of-concept that displays administrator username and password (static addresses of nmma.exe 2.1.0): http://aluigi.org/poc/nmma_x.zip nmma_x 2 SERVER ####################################################################### ====== 4) Fix ====== http://www.novell.com/support/viewContent.do?externalId=7009634 #######################################################################