X
Tech

Novell GroupWise 'mailto' URI handler buffer overflow vulnerability

Researcher Juan Pablo Lopez Yacubian has reported another URI abuse exploit.From Security Focus:Novell GroupWise is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Written by Nathan McFeters, Contributor

Researcher Juan Pablo Lopez Yacubian has reported another URI abuse exploit.

From Security Focus:

Novell GroupWise is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

This issue affects GroupWise 7.0; other versions may also be affected.  

Hmm... When I mentioned URI abuse last week, I said there would be more didn't I?

I'm working on a few myself, this one is pretty nasty since most browsers will accept mailto: URIs without any confirmation, meaning you get cross-site scripted, it forces trigger of a mailto URI and your pwned.  Game over, thanks for playing.

The researcher attached code to Security Focus as a proof of concept, and here's the actual code from that Python file:

#!/usr/bin/python

a = "<iframe src='mailto:" a += "A" * 1530 a += "\x61\x61\x61\x61" a += "' width='320' height='300' scrolling='yes' name='content'></iframe>"

file = open("test.html", "w") file.write(a) file.close()

So, basically, this is a simple python script that will create the exploit code for you, which you would then deploy using cross-site scripting or host on your own page, whatever.  The code does not contain a malicious payload, it's simply proof of concept to cause the crash, so feel free to play with it if you'd like.

On to Juan Pablo, congrats to him.  He's on a roll.  This is the same researcher that earlier this week brought us another Trillian exploit.

-Nate

Editorial standards