Novell GroupWise Internet Agent Content-Type BO

November 18, 2010

GroupWise is a messaging and collaborative software platform from Novell that supports email, calendaring, personal information management, instant messaging, and document management. The platform consists of the client software, which is available for Windows, Mac OS X, and Linux, and the server software, which is supported on Windows Server, NetWare, and Linux. The latest generation of the platform is GroupWise 8. Novell GroupWise Internet Agent is a component of Novell GroupWise and provides email services, supporting SMTP, POP, and IMAP protocols.

Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks. SMTP was first defined by RFC 821 and last updated by RFC 5321 (2008). SMTP is specified for outgoing mail transport and uses TCP port 25. A typical example of sending a message via SMTP to two mailboxes (alice and theboss) located in the same mail domain ( is reproduced in the following session exchange:

 S: 220 ESMTP Postfix C: HELO S: 250 Hello, I am glad to meet you C: MAIL FROM: S: 250 Ok C: RCPT TO: S: 250 Ok C: RCPT TO: S: 250 Ok C: DATA S: 354 End data with . C: From: "Bob Example"  C: To: "Alice Example"  C: Cc: C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C: . S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye 

A Content-Type header is an option header for a SMTP traffic, which is used to declare the general type of data, while the subtype specifies a specific format for that type of data. A Content-Type of "text/plain" is sufficient to tell an agent that the data is text. Additional entities in the field are separated by a semicolon. The Content-Type header has the following format:

 Content-Type: text/plain; [OTHER ENTITIES] 

A buffer-overflow vulnerability exists in the Novell GroupWise Internet Agent service. More specifically, the vulnerability is due to a boundary failure in the methods responsible for processing the data inside the Content-Type header field of the message being processed. Remote attackers could exploit this vulnerability by supplying a specially crafted "Content-Type" header to the server, which allows for arbitrary code injection and execution with SYSTEM privileges.

SonicWALL UTM team has researched this vulnerability and created the following IPS signatures to detect the attacks addressing this vulnerability.

  • 6010 Novell GroupWise Internet Agent Content-Type BO
  • 6011 Novell GroupWise Internet Agent Content-Type BO 2

This vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier.