cbcvebase.
CVE-2008-2703
published 2008-06-13

CVE-2008-2703: Multiple stack-based buffer overflows in Novell GroupWise Messenger (GWIM) Client before 2.0.3 HP1 for Windows allow remote attackers to execute arbitrary code…

PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.12%
99.0th percentile
Multiple stack-based buffer overflows in Novell GroupWise Messenger (GWIM) Client before 2.0.3 HP1 for Windows allow remote attackers to execute arbitrary code via "spoofed server responses" that contain a long string after the NM_A_SZ_TRANSACTION_ID field name.

Affected

3 ranges
VendorProductVersion rangeFixed in
novellgroupwise_messenger
novellgroupwise_messenger
novellgroupwise_messenger

Detection & IOCsextracted from sources · hover to see the quote

  • The exploit operates as a rogue/spoofed HTTP server on TCP port 8300. Detect unexpected inbound connections from clients to non-standard servers on port 8300 responding with HTTP/1.0 200 and NM_A_SZ_TRANSACTION_ID fields.
  • The malicious server response contains the literal field name 'NM_A_SZ_TRANSACTION_ID' followed by an oversized buffer (e.g., 5000 'A' characters). Inspect HTTP responses on port 8300 for this field name followed by anomalously large data.
  • The stack pivot prepend stub \x81\xc4\xff\xef\xff\xff\x44 (ADD ESP,-0x1001 / INC ESP) appears at the start of the encoded payload. Scan for this byte sequence in HTTP response bodies on port 8300.
  • The PoC fake server appends a crash buffer of 5000 'A' bytes after the NM_A_SZ_TRANSACTION_ID response. A response body containing 'NM_A_SZ_TRANSACTION_ID' followed by a long run of repeated bytes is a strong indicator of exploitation.
  • ·The return address 0x502de115 is specific to Novell GroupWise Messenger 2.0 Client and 0x1000e105 to version 1.0; these hardcoded RET values will not apply to patched (2.0.3 HP1+) or other versions.
  • ·Payload space is limited to 750 bytes with AlphanumUpper encoding enforced; payloads exceeding this or containing bad chars \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c will fail.
  • ·Only Windows versions of Novell GroupWise Messenger Client prior to 2.0.3 HP1 are affected; the exploit platform is explicitly 'win'.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.