GroupWise Client Addressbook Integer Overflow

September 21, 2012

GroupWise is a messaging and collaborative software platform from Novell that supports email, calendaring, personal information management, instant messaging, and document management. The platform consists of the client software, which is available for Windows, Mac OS X, and Linux, and the server software, which is supported on Windows Server, NetWare, and Linux. The latest generation of the platform is GroupWise 2012 which only supports Windows and Linux on Servers.

Novell GroupWise Client and a separate application Addressbook, which is bundled with the client, can import and export address book entries in .nab files. These files are similar to CSV (comma-separated values) files. The structure of the file is shown below:

 	Field					Description 	---------------------------------------------------- 					3-byte magic bytes 	TOKEN,"TOKEN", ... 		Header or data line 	... 

An integer-overflow vulnerability exists in Novell GroupWise Client and its bundled Addressbook application. When parsing tokens in a .nab file, the vulnerable codes assume the user supplied contents is within a limited size, and allocate a fixed buffer to copy the contents. If the size of the contents supplied by user is over that limit, the vulnerable code will calculate the size incorrectly, and cause an integer overflow. Remote attackers can exploit this vulnerability by enticing the target user to open a maliciously crafted .nab file. Successful exploitation would allow injection and execution of arbitrary code within the context of the currently logged-on user. Unsuccessful attack attempts will terminate the vulnerable program leading to a denial-of-service condition.

Dell SonicWALL UTM team has researched this vulnerability and provided a generic shellcode signature to detect the attacks addressing this issue:

  • 4297 Client Application Shellcode Exploit 1

This vulnerability has been assigned by CVE as CVE-2012-0418.