Vulnerabilities > CVE-2006-0992 - Remote Buffer Overflow vulnerability in Novell Groupwise Messenger 2.0

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
novell
critical
nessus
exploit available
metasploit
NVD
Published: 2006-04-14
Updated: 2018-10-18

Summary

Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language value without a comma or semicolon. NOTE: due to a typo, the original ZDI advisory accidentally referenced CVE-2006-0092. This is the correct identifier. Upgrade to GroupWise Messenger, 2.0 Public Beta 2 to fix this issue.

Vulnerable Configurations

Part Description Count
Application
Novell
1

Exploit-Db

  • descriptionNovell Messenger Server 2.0 (Accept-Language) Remote Overflow Exploit. CVE-2006-0992. Remote exploit for novell platform
    fileexploits/novell/remote/1679.pm
    idEDB-ID:1679
    last seen2016-01-31
    modified2006-04-15
    platformnovell
    port8300
    published2006-04-15
    reporterH D Moore
    sourcehttps://www.exploit-db.com/download/1679/
    titleNovell Messenger Server 2.0 Accept-Language Remote Overflow Exploit
    typeremote
  • descriptionNovell Messenger Server 2.0 Accept-Language Overflow. CVE-2006-0992. Remote exploit for windows platform
    idEDB-ID:16757
    last seen2016-02-02
    modified2010-09-20
    published2010-09-20
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16757/
    titleNovell Messenger Server 2.0 Accept-Language Overflow

Metasploit

descriptionThis module exploits a stack buffer overflow in Novell GroupWise Messenger Server v2.0. This flaw is triggered by any HTTP request with an Accept-Language header greater than 16 bytes. To overwrite the return address on the stack, we must first pass a memcpy() operation that uses pointers we supply. Due to the large list of restricted characters and the limitations of the current encoder modules, very few payloads are usable.
idMSF:EXPLOIT/WINDOWS/HTTP/NOVELL_MESSENGER_ACCEPTLANG
last seen2020-06-13
modified2017-07-24
published2006-04-14
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0992
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/novell_messenger_acceptlang.rb
titleNovell Messenger Server 2.0 Accept-Language Overflow

Nessus

NASL familyGain a shell remotely
NASL idNMMA_OVERFLOW.NASL
descriptionThe remote host is running Novell Messenger Messaging Agent, an enterprise instant messaging server for Windows, Linux, and Netware. This version of this service is running an HTTP server which is vulnerable to a stack overflow. An attacker can exploit this vulnerability to execute code on the remote host.
last seen2020-06-01
modified2020-06-02
plugin id21243
published2006-04-19
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/21243
titleNovell GroupWise Messenger Accept Language Remote Overflow
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(21243);
  script_version("1.18");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id("CVE-2006-0992");
  script_bugtraq_id (17503);

  script_name(english:"Novell GroupWise Messenger Accept Language Remote Overflow");
  script_summary(english:"Checks for Novell Messenger Messaging Agent Buffer overflow");
 
  script_set_attribute(attribute:"synopsis", value:
"It is possible to execute code on the remote web server.");
  script_set_attribute(attribute:"description", value:
"The remote host is running Novell Messenger Messaging Agent, an
enterprise instant messaging server for Windows, Linux, and Netware. 

This version of this service is running an HTTP server which is
vulnerable to a stack overflow. 

An attacker can exploit this vulnerability to execute code on the
remote host.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-06-008/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Groupwise Messenger 2.0.1 beta3 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Novell Messenger Server 2.0 Accept-Language Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"plugin_publication_date", value:"2006/04/19");
  script_set_attribute(attribute:"vuln_publication_date", value:"2006/04/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2006/04/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Gain a shell remotely");
  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencie("nmma_detection.nasl");
  script_exclude_keys('Settings/disable_cgi_scanning');
  script_require_ports("Services/www", 8300);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8300); 
if (!get_kb_item("Novell/NMMA/" + port)) exit(0, "Novell NMMA was not detected on port "+port+".");

# getlocation command was not in 2.0.0
data = string ("GET /getlocation HTTP/1.0\r\n\r\n");
w = http_send_recv_buf(port: port, data: data, exit_on_fail:TRUE);
buf = strcat(w[0], w[1], '\r\n', w[2]);

# patched version replies with the download page

if (egrep (pattern:"^HTTP/1.0 200", string:buf) && ("NM_A_SZ_RESULT_CODE" >!< buf))
  security_hole(port);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/83166/novell_messenger_acceptlang.rb.txt
idPACKETSTORM:83166
last seen2016-12-05
published2009-11-26
reporterH D Moore
sourcehttps://packetstormsecurity.com/files/83166/Novell-Messenger-Server-2.0-Accept-Language-Overflow.html
titleNovell Messenger Server 2.0 Accept-Language Overflow

Saint

bid17503
descriptionNovell GroupWise Messenger Accept-Language buffer overflow
idmail_web_groupwisemessenger
osvdb24617
titlegroupwise_messenger_accept_language
typeremote

References