CVE-2008-2703
published 2008-06-13CVE-2008-2703: Multiple stack-based buffer overflows in Novell GroupWise Messenger (GWIM) Client before 2.0.3 HP1 for Windows allow remote attackers to execute arbitrary code…
PriorityP265critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.12%
99.0th percentile
Multiple stack-based buffer overflows in Novell GroupWise Messenger (GWIM) Client before 2.0.3 HP1 for Windows allow remote attackers to execute arbitrary code via "spoofed server responses" that contain a long string after the NM_A_SZ_TRANSACTION_ID field name.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| novell | groupwise_messenger | — | — |
| novell | groupwise_messenger | — | — |
| novell | groupwise_messenger | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit operates as a rogue/spoofed HTTP server on TCP port 8300. Detect unexpected inbound connections from clients to non-standard servers on port 8300 responding with HTTP/1.0 200 and NM_A_SZ_TRANSACTION_ID fields. ↗
- →The malicious server response contains the literal field name 'NM_A_SZ_TRANSACTION_ID' followed by an oversized buffer (e.g., 5000 'A' characters). Inspect HTTP responses on port 8300 for this field name followed by anomalously large data. ↗
- →The stack pivot prepend stub \x81\xc4\xff\xef\xff\xff\x44 (ADD ESP,-0x1001 / INC ESP) appears at the start of the encoded payload. Scan for this byte sequence in HTTP response bodies on port 8300. ↗
- →The PoC fake server appends a crash buffer of 5000 'A' bytes after the NM_A_SZ_TRANSACTION_ID response. A response body containing 'NM_A_SZ_TRANSACTION_ID' followed by a long run of repeated bytes is a strong indicator of exploitation. ↗
- ·The return address 0x502de115 is specific to Novell GroupWise Messenger 2.0 Client and 0x1000e105 to version 1.0; these hardcoded RET values will not apply to patched (2.0.3 HP1+) or other versions. ↗
- ·Payload space is limited to 750 bytes with AlphanumUpper encoding enforced; payloads exceeding this or containing bad chars \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c will fail. ↗
- ·Only Windows versions of Novell GroupWise Messenger Client prior to 2.0.3 HP1 are affected; the exploit platform is explicitly 'win'. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Novell Groupwise Messenger Client - Remote Buffer Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2008-2703 Novell Groupwise Messenger Client - Remote Buffer Overflow (Metasploit)
Novell Groupwise Messenger Client - Remote Buffer Overflow (Metasploit)
---
##
# $Id: groupwisemessenger_client.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'Novell GroupWise Messenger Client Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client.
By sending a specially crafted HTTP response, an attacker may be able to execute
arbitrary code.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2008-2
Exploit-DB
Novell Groupwise Messenger 2.0 Client - Buffer Overflow
exploitdb·2008-07-02
CVE-2008-2703 Novell Groupwise Messenger 2.0 Client - Buffer Overflow
Novell Groupwise Messenger 2.0 Client - Buffer Overflow
---
source: https://www.securityfocus.com/bid/29602/info
Novell GroupWise Messenger is prone to two buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.
Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to Novell GroupWise Messenger 2.0.3 HP1 are vulnerable.
#!/usr/bin/perl -w
##
#Simple fake groupwise msn server.
#Date: 07/02/2008
#[ISR] - www.infobyte.com.ar
#Author: Francisco Amato
##
use strict;
use IO::Socket;
use Data::Dump qw(dump);
my $port=8300;
my $conn="HTTP/1.0 200 \r\nDate: Sat,
Metasploit
Novell GroupWise Messenger Client Buffer Overflow
metasploit
Novell GroupWise Messenger Client Buffer Overflow
Novell GroupWise Messenger Client Buffer Overflow
This module exploits a stack buffer overflow in Novell's GroupWise Messenger Client. By sending a specially crafted HTTP response, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/30576http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5026700.htmlhttp://www.securityfocus.com/archive/1/493964/100/0/threadedhttp://www.securityfocus.com/bid/29602http://www.securitytracker.com/id?1020209http://www.vupen.com/english/advisories/2008/1764/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42917http://secunia.com/advisories/30576http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5026700.htmlhttp://www.securityfocus.com/archive/1/493964/100/0/threadedhttp://www.securityfocus.com/bid/29602http://www.securitytracker.com/id?1020209http://www.vupen.com/english/advisories/2008/1764/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/42917
2008-06-13
Published