COMMAND

    GroupWise

SYSTEMS AFFECTED

    Novell IntranetWare

PROBLEM

    Simple Nomad issued following.  A remote buffer overflow condition
    exists  in  Novell  Groupwise  Internet  Gateway  that permits DoS
    attacks and possible  execution of malicious  code.  The  overflow
    happens in  the string  parsing of  the USER  command in  the POP3
    daemon, and in the  command parsing of the  LDAP daemon.  The  bug
    was tested with the following configuration:

        Novell Intranetware
        Intranetware Service Pack 5
        TCP/IP TCPN05 patch
        Novell BorderManager 2.1.0
        BorderManager Service pack 2.0D
        GroupWise 5.2
        GroupWise Service pack 3

    POP3
    ====
    When connecting to  the pop3 daemon  and issuing the  USER command
    with a  user name  of 512  bytes or  longer you  get disconnected.
    Normal.  Now  if you give  a user name  longer than 241  bytes the
    execution stack gets smashed. On our system it got filled with the
    Hex value of the ASCII name provided starting at byte 242.  Ex:

        -> Telnet buggy.groupwise
        <- Groupwise blabla blabla ....
        -> USER xxxxxxxxxxxxxxxx ..... xxxxxxxxxXXXXXXXXXXXXXXXXXXXXXXX
                                          byte: 241||242
                                                   ||
                                        smash   <--  --> exec stack filled
                                        by what follows

    When SP5  is installed,  the NLM  will abend  but not  the server.
    Little bonus: when issuing the  USER command with a possible  user
    name  "ex:  user001"  that  dosen't  exists you get the following:
    "-ERR user  not found",  and are  still connected.   This allows a
    malicious attacker to check for valid accounts.

    LDAP
    ====
    Same stuff, with a better feature: the size of the command  string
    is virtually unlimited.

    Additionally, it should be noted that there is currently no  known
    exploit that allows remote execution of code on a NetWare  server,
    but overflow conditions like  this certainly would help  open that
    door.

    IMAP
    ====
    There is also a buffer  overflow condition using the user  name in
    IMAP as well.

SOLUTION

    Novell isued gwia551.exe  (Document ID: 2942874).   This patch  is
    only for  the GroupWise  5.5 GWIA  gateway.   It fixes  the Buffer
    Overflow  in  the  5.5  version  of  the  GroupWise Internet Agent
    reported by the N.M.R.C. (Nomad Mobile Research Centre) Advisory.
    Get it from:

        ftp://ftp.novell.com/pub/updates/grpware/grpwise/gwia551.exe

    This patch supposedly  fixes POP3 and  IMAP vulnerability. If  you
    are not on version 5.5 you cannot apply the patch, so you have  to
    upgrade first.