GroupWise Client Addressbook Integer Overflow (Sept 21, 2012)


GroupWise is a messaging and collaborative software platform from Novell that supports email, calendaring, personal information management, instant messaging, and document management. The platform consists of the client software, which is available for Windows, Mac OS X, and Linux, and the server software, which is supported on Windows Server, NetWare, and Linux. The latest generation of the platform is GroupWise 2012 which only supports Windows and Linux on Servers.

Novell GroupWise Client and a separate application Addressbook, which is bundled with the client, can import and export address book entries in .nab files. These files are similar to CSV (comma-separated values) files. The structure of the file is shown below:

 	Field					Description 	---------------------------------------------------- 					3-byte magic bytes 	TOKEN,"TOKEN", ... 		Header or data line 	... 

An integer-overflow vulnerability exists in Novell GroupWise Client and its bundled Addressbook application. When parsing tokens in a .nab file, the vulnerable codes assume the user supplied contents is within a limited size, and allocate a fixed buffer to copy the contents. If the size of the contents supplied by user is over that limit, the vulnerable code will calculate the size incorrectly, and cause an integer overflow. Remote attackers can exploit this vulnerability by enticing the target user to open a maliciously crafted .nab file. Successful exploitation would allow injection and execution of arbitrary code within the context of the currently logged-on user. Unsuccessful attack attempts will terminate the vulnerable program leading to a denial-of-service condition.

Dell SonicWALL UTM team has researched this vulnerability and provided a generic shellcode signature to detect the attacks addressing this issue:

  • 4297 Client Application Shellcode Exploit 1

This vulnerability has been assigned by CVE as CVE-2012-0418.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.