From thegnome@NMRC.ORG Sat Sep 26 04:07:03 1998
From: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@netspace.org
Date: Sun, 22 Mar 1998 01:32:12 -0600
Subject: NMRC Advisory - GroupWise Buffer Overflow

_______________________________________________________________________________

                          Nomad Mobile Research Centre
                                 A D V I S O R Y
                                  www.nmrc.org
                          Jitsu-Disk  [jitsu@nmrc.org]
                                   23Sep1998
_______________________________________________________________________________

                              Platform : Novell IntranetWare
                           Application : GroupWise
                              Severity : High


Synopsis
--------

A remote buffer overflow condition exists in Novell Groupwise Internet
Gateway that permits DoS attacks and possible execution of malicious code.
The overflow happens in the string parsing of the USER command in the POP3
daemon, and in the command parsing of the LDAP daemon.

Tested configuration
--------------------

The bug was tested with the following configuration :

Novell Intranetware
Intranetware Service Pack 5
TCP/IP TCPN05 patch
Novell BorderManager 2.1.0
BorderManager Service pack 2.0D
GroupWise 5.2
GroupWise Service pack 3

Bug(s) report
-------------

- POP3

When connecting to the pop3 daemon and issuing the USER command with a
user name of 512 bytes or longer you get disconnected. Normal.

Now if you give a user name longer than 241 bytes the execution stack
gets smashed. On our system it got filled with the Hex value of the ASCII
name provided starting at byte 242.

Ex :
-> Telnet buggy.groupwise
<- Groupwise blabla blabla ....
-> USER xxxxxxxxxxxxxxxx ..... xxxxxxxxxXXXXXXXXXXXXXXXXXXXXXXX
                                          byte: 241||242
                                                   ||
                                        smash   <--  --> exec stack filled
by what follows

When SP5 is installed, the NLM will abend but not the server.

Little bonus : when issuing the USER command with a possible user
name "ex: user001" that dosen't exists you get the following : "-ERR user
not found", and are still connected. This allows a malicious attacker to
check for valid accounts.

-LDAP

Same stuff, with a better feature : the size of the command string is
virtually unlimited.

Solution/Workaround
-------------------

POP3 & LDAP service are active by default, disable them until Novell posts
a patch. After disabling them it is recommended the server is recycled to
ensure they are really off.

Comments
--------

During testing it was noted that there were some inconsistencies between
GroupWise databases, although the source of the inconsistency was not
conclusively determined to be the overflow. Alternative : uninstall
GroupWise and get Lotus Notes.

Additionally, it should be noted that there is currently no known exploit
that allows remote execution of code on a NetWare server, but overflow
conditions like this certainly would help open that door.

Novell has been contacted regarding this bug.

_______________________________________________________________________________