Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Novell Unicode Buffer Overflow

Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Novell Messenger Client is prone to an overflow condition. The application fails to properly sanitize user-supplied input resulting in a stack-based buffer overflow. With a specially crafted contact list file containing an arbitrary ‘name’ value of a ‘folder’ tag, a context-dependent attacker can potentially cause arbitrary code execution.

Add Assessment

1
Technical Analysis

-
[+] Processing arguments and criteria

- Pointer access level : X
- Pointer criteria : ['unicoderev']

[+] Generating module info table, hang on…

- Processing modules
- Done. Let's rock 'n roll.

[+] Querying 56 modules

- Querying module NMCP32.DLL

*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\xpsp2res.dll

- Querying module urlmon.dll
- Querying module msxml3.dll
- Querying module CRYPT32.dll
- Querying module MSASN1.dll
- Querying module kernel32.dll
- Querying module msvcrt.dll
- Querying module GDI32.dll
- Querying module ntdll.dll
- Querying module nmcd32.dll
- Querying module wshtcpip.dll
- Querying module WS2_32.dll
- Querying module SENSAPI.DLL
- Querying module ATL.DLL
- Querying module CRYPTUI.dll
- Querying module WININET.dll
- Querying module CLBCATQ.DLL
- Querying module Secur32.dll
- Querying module WSOCK32.dll
- Querying module rsaenh.dll
- Querying module WS2HELP.dll
- Querying module ole32.dll
- Querying module SHLWAPI.dll
- Querying module hnetcfg.dll
- Querying module NMCH32.DLL
- Querying module USER32.dll
- Querying module comdlg32.dll
- Querying module IMAGEHLP.dll
- Querying module shdocvw.dll
- Querying module NMCLEN.DLL
- Querying module WINTRUST.dll
- Querying module COMRes.dll
- Querying module cscui.dll
- Querying module OLEAUT32.dll
- Querying module NETAPI32.dll
- Querying module SHELL32.dll
- Querying module RPCRT4.dll
- Querying module CSCDLL.dll
- Querying module mlang.dll
- Querying module NMCL32.exe
- Querying module USERENV.dll
- Querying module nmenv2.dll
- Querying module COMCTL32.dll
- Querying module MSCTF.dll
- Querying module WLDAP32.dll
- Querying module VERSION.dll
- Querying module mswsock.dll
- Querying module appHelp.dll
- Querying module browseui.dll
- Querying module NMCA32.DLL
- Querying module RichEd20.Dll
- Querying module UxTheme.dll
- Querying module ADVAPI32.dll
- Querying module LINKINFO.dll
- Querying module SETUPAPI.dll
- Querying module ntshrui.dll
- Search complete, processing results

[+] Preparing output file ‘jmp.txt’

- (Re)setting logfile jmp.txt

Done. Found 0 pointers
[+] This mona.py action took 0:02:13.578000
”`

  • On the other hand, I’ve installed the linux client, but it’s a Java software, so there isn’t memory corruption, just a message warning about the malformed file

General Information

References

Additional Info

Technical Analysis