[NT] Novell GroupWise Client Integer Overflow

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Novell GroupWise Client Integer Overflow
------------------------------------------------------------------------


SUMMARY

" <http://www.novell.com/products/groupwise/index.html> Novell GroupWise 
is a complete collaboration software solution that provides information 
workers with e-mail, calendaring, instant messaging, task management, and 
contact and document management functions."

Novell GroupWise Client is vulnerable to a integer overflow that allows 
attackers to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * GroupWise version 6.5.3

Immune Systems:
 * GroupWise version 6.5 SP5

The integer overflow bug is due to failure of the application to parse the 
saved port number stored in Windows' registery.

Proof of Concept:
To reproduce this, we have to modify the default register key of
HKEY_CURRENT_USER\Software\Novell\GroupWise\Login Parameters\TCP/IP Port

For example, set the value (11111111111111111111111111111111).

Then, when we open the application client and the client get the port 
information occur the integer overflow.

Stack Trace:
EAX C71C71C7
ECX 01F6ADC0 ASCII "10.1.1.1"
EDX 01F6ADC0 ASCII "10.1.1.1"
EBX 00000000
ESP 0012E9DC
EBP 0012E9EC
ESI 00000000
EDI 00000000
EIP 52080AB3 gwenv1.52080AB3
C 0 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 1 FS 0038 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010292 (NO,NB,NE,A,S,PO,L,LE)
ST0 empty -NAN FFFF FFFCFEFC FFFCFEFC
ST1 empty -??? FFFF 00000000 00000000
ST2 empty -??? FFFF 00FE00FB 00FD00FB
ST3 empty -??? FFFF 00FE00FB 00FD00FB
ST4 empty -NAN FFFF FFFCFEFC FFFCFEFC
ST5 empty -??? FFFF 00FF00FC 00FE00FC
ST6 empty -??? FFFF 00000000 00000000
ST7 empty 256.00000000000000000
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

Assembly code:
52080AB3 66:8B00 MOV AX,WORD PTR DS:[EAX]

Vendor Status:
The vendor has issued a patch:  
<http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972191.htm> 
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972191.htm

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2804> 
CAN-2005-2804

Disclosure Timeline:
07/28/2005 - Initial vendor notification
07/28/2005 - Initial vendor response notify research
08/07/2005 - Second vendor response
09/27/2005 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:famato@xxxxxxxxxxxxxxx> 
Francisco Amato.
 
<http://support.novell.com/techcenter/search/search.do?cmd=displayKC&docType=kc&externalId=10098814html&sliceId=&dialogID=717171>
 The vendor advisory



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.