Novell NetMail IMAPD Command Continuation Request Heap Overflow iDEFENSE Security Advisory 09.01.05 www.idefense.com/application/poi/display?id=301&type=vulnerabilities September 1, 2005 I. BACKGROUND Novell NetMail is an e-mail and calendaring system that is based on Internet-standard messaging and security protocols. More information about Novell NetMail is available from: http://www.novell.com/products/netmail/ II. DESCRIPTION Remote exploitation of a heap overflow vulnerability in Novell Inc.'s NetMail IMAP daemon allows unauthenticated attackers to execute arbitrary code with the privileges of the underlying user. The problem specifically exists in the handling of command continuation requests as the user-specified size value is used directly as the argument to a custom memory allocation wrapper (MMalloc()): 00402CA2 lea ecx, [ebx+1] ; ebx is attacker controlled 00402CA5 push ecx 00402CA6 call MMmalloc The MMalloc() routine performs minimal mathematical operations to the supplied value before allocating memory. An attacker can specify a malicious number that will result in an integer overflow and cause a small memory chunk to be allocated. The original and larger supplied value will be later used in an inline memcpy(): 00402D6E rep movsd ; destination is attacker allocated 00402D70 mov ecx, edx 00402D72 and ecx, 3 00402D75 rep movsb This instruction sequence will copy attacker-supplied data beyond the brims of the allocated heap chunk and arbitrarily overwrite the heap. Too large a payload will cause an access violation as it writes off the end of the heap. If the supplied data is large enough, it will corrupt the heap and eventually result in a classic arbitrary DWORD overwrite in NTDLL during subsequent heap manipulation: 77FCC2C0 mov [ecx], eax 77FCC2C2 mov [eax+4], ecx By overwriting the address of a soon to be called function, the attacker can redirect CPU flow and eventually execute arbitrary code. III. ANALYSIS Successful exploitation of the described vulnerability allows unauthenticated remote attackers to execute arbitrary code with the privileges of the underlying user, normally NetMailService. IV. DETECTION iDEFENSE has confirmed the existence of the vulnerability in the latest version of Novell NetMail, version 3.5.2. It is suspected that earlier versions of NetMail are also affected. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to systems and services. VI. VENDOR RESPONSE The following vendor advisory has been released to address this vulnerability: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097957.htm VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-1758 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/25/2005 Initial vendor notification 04/25/2005 Initial vendor response 09/01/2005 Public disclosure IX. CREDIT This vulnerability was discovered by Pedram Amini, OpenRCE (www.openrce.org). Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.