|
|
|
|
| |
Novell NetMail is an e-mail and calendaring system that is based on Internet-standard messaging and security protocols.
Remote exploitation of a buffer overflows in Novell's NetMail allows unauthenticated attackers to execute arbitrary code with the privileges of the underlying user. Lack of proper validation of user input allows attackers to perform XSS and steal information from the users. |
| |
Credit:
The information has been provided by iDEFENSE Labs Security Advisories,
Novell.
The original article can be found at: http://www.idefense.com/application/poi/display?id=301&type=vulnerabilities
The vendor advisory can be found at: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097957.htm
|
| |
Vulnerable Systems:
* Novell NetMail version 3.5.2
IMAPD Command Continuation Request Buffer Overflow:
The problem specifically exists in the handling of command continuation requests as the user-specified size value is used directly as the argument to a custom memory allocation wrapper (MMalloc()):
00402CA2 lea ecx, [ebx+1] ; ebx is attacker controlled
00402CA5 push ecx
00402CA6 call MMmalloc
The MMalloc() routine performs minimal mathematical operations to the supplied value before allocating memory. An attacker can specify a malicious number that will result in an integer overflow and cause a small memory chunk to be allocated. The original and larger supplied value will be later used in an inline memcpy():
00402D6E rep movsd ; destination is attacker allocated
00402D70 mov ecx, edx
00402D72 and ecx, 3
00402D75 rep movsb
This instruction sequence will copy attacker-supplied data beyond the brims of the allocated heap chunk and arbitrarily overwrite the heap.
Too large a payload will cause an access violation as it writes off the end of the heap. If the supplied data is large enough, it will corrupt the heap and eventually result in a classic arbitrary DWORD overwrite in NTDLL during subsequent heap manipulation:
77FCC2C0 mov [ecx], eax
77FCC2C2 mov [eax+4], ecx
By overwriting the address of a soon to be called function, the attacker can redirect CPU flow and eventually execute arbitrary code.
Successful exploitation of the described vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the underlying user, normally NetMailService.
WebAccess Cross-Site Scripting:
When a user opens an appointment containing valid formatted script in the body of the message, the browser interprets and executes that script. The script could do perform malicious actions on the user's authenticated connection. This exploit is available to any client that sends an ical object to a NetMail user.
WebAccess Buffer Overflow:
Specifying a very large name on folder rename through the WebAccess or WebMail client causes a buffer Overflow that allow attackers to execute arbitrary code.
Vendor Status:
The vendor has issued a fix for the vulnerability: http://support.novell.com/filefinder/19357/index.html
CVE Information:
CAN-2005-1756
CAN-2005-1757
CAN-2005-1758
Disclosure Timeline:
04/25/2005 - Initial vendor notification
04/25/2005 - Initial vendor response
09/01/2005 - Public disclosure
|
|
|
|
|
|
|
|
|
|
