|CVSS SCORE||10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)|
|TIPPINGPOINT™ IPS CUSTOMER PROTECTION||TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 10328. For further product information on the TippingPoint IPS: http://www.tippingpoint.com|
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell Groupwise. Authentication is not required to exploit this vulnerability.
The specific flaw exists in a function responsible for assembling an HTTP response. The following modules implement this functionality: gwpoa.exe, gwmta.exe, gwia.exe. When responding to an HTTP request sent to TCP port 7101 or 7100 or in the case of gwia.exe the user configured "Message Transfer Port", the process uses the client-specified "Host: " header to create an HTTP 301 redirection message. Within this code a local stack buffer is used to store the redirect location and can be overflown with a sufficiently long header value. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user.
Linux - http://download.novell.com/Download?buildid=04oMMaiI9nI~
The HTTP interfaces for the GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are vulnerable to an exploit that could allow a remote attacker to execute arbitrary code on vulnerable installations of Novell Groupwise. Authentication is not required to exploit this vulnerability.