From thegnome@NMRC.ORG Sat Sep 26 04:07:03 1998 From: Simple Nomad To: BUGTRAQ@netspace.org Date: Sun, 22 Mar 1998 01:32:12 -0600 Subject: NMRC Advisory - GroupWise Buffer Overflow _______________________________________________________________________________ Nomad Mobile Research Centre A D V I S O R Y www.nmrc.org Jitsu-Disk [jitsu@nmrc.org] 23Sep1998 _______________________________________________________________________________ Platform : Novell IntranetWare Application : GroupWise Severity : High Synopsis -------- A remote buffer overflow condition exists in Novell Groupwise Internet Gateway that permits DoS attacks and possible execution of malicious code. The overflow happens in the string parsing of the USER command in the POP3 daemon, and in the command parsing of the LDAP daemon. Tested configuration -------------------- The bug was tested with the following configuration : Novell Intranetware Intranetware Service Pack 5 TCP/IP TCPN05 patch Novell BorderManager 2.1.0 BorderManager Service pack 2.0D GroupWise 5.2 GroupWise Service pack 3 Bug(s) report ------------- - POP3 When connecting to the pop3 daemon and issuing the USER command with a user name of 512 bytes or longer you get disconnected. Normal. Now if you give a user name longer than 241 bytes the execution stack gets smashed. On our system it got filled with the Hex value of the ASCII name provided starting at byte 242. Ex : -> Telnet buggy.groupwise <- Groupwise blabla blabla .... -> USER xxxxxxxxxxxxxxxx ..... xxxxxxxxxXXXXXXXXXXXXXXXXXXXXXXX byte: 241||242 || smash <-- --> exec stack filled by what follows When SP5 is installed, the NLM will abend but not the server. Little bonus : when issuing the USER command with a possible user name "ex: user001" that dosen't exists you get the following : "-ERR user not found", and are still connected. This allows a malicious attacker to check for valid accounts. -LDAP Same stuff, with a better feature : the size of the command string is virtually unlimited. Solution/Workaround ------------------- POP3 & LDAP service are active by default, disable them until Novell posts a patch. After disabling them it is recommended the server is recycled to ensure they are really off. Comments -------- During testing it was noted that there were some inconsistencies between GroupWise databases, although the source of the inconsistency was not conclusively determined to be the overflow. Alternative : uninstall GroupWise and get Lotus Notes. Additionally, it should be noted that there is currently no known exploit that allows remote execution of code on a NetWare server, but overflow conditions like this certainly would help open that door. Novell has been contacted regarding this bug. _______________________________________________________________________________